Routing Android traffic through the TOR network

Termux is becoming a tool I use more and more, so I started looking into how I could secure it so that only I can have access to it.

I've also added another small layer of security so that I can lock some commands with my fingerprint.

Lets see.

 

INFRASTRUCTURE

Install OpenVPN

INSTALLING OPENVPN

Install OpenVPN

 

Install anonsurf

 

Modify anonsurf

 

# Security finger print
echo "\n----==== SYSTEM LOCKED ====----\n"
termux-fingerprint | grep -q "AUTH_RESULT_SUCCESS" && {
    echo -e "\n\e[32m     -= ACCESS GRANTED! =-  \e[0m\n"
} || {
    echo -e "\n\e[31m     -= ACCESS DENIED!! =-  \e[0m\n"
    sleep 1
    exit 1
}

.........
Acces denied
Example of failures when reading the fingerprint
Acces granted
Example of authorised access

This will mean that every time we open a session on Termux, it will ask for our fingerprint to validate that it is us. Obviously, this won't work if you don't have your fingerprint configured on your smartphone.

SECURING CUSTOMISED ALIASES

Also, we can create alias to securize different commands at the end of the .zshrc file.

For example:

.........

# MY FUNCTIONS
check_finger_access() {
    local command="$1"
    shift

    termux-fingerprint | grep -q "AUTH_RESULT_SUCCESS" && {
        echo -e "\n\e[32m> ACCESS GRANTED <\e[0m\n"
        command $command "$@"
    } || {
        echo -e "\n\e[31m> ACCESS DENIED <\e[0m\n"
        return 1
    }
}

# MY ALIAS COMMANDS

alias nano='check_finger_access nano'
alias bash='check_finger_access bash'

When we go to execute the nano or bash commands, Termux will ask us to check the fingerprint.

 

SCRIPT TO ENABLE / DISABLE CHECKING ON ALIASES

In addition, we can create a script to change whether we want to enable or disable these aliases so that we are only prompted for the fingerprint when opening Termux:

#!/bin/bash

# Archivo donde se aplicarán los cambios
ZSHRC_FILE="$HOME/.zshrc"

# Patrón a buscar
PATTERN="='check_finger_access "
EXCEPTION="switch_finger_check.sh"

# Verificar si ya hay líneas comentadas que coincidan con el patrón
if grep -q "^#.*$PATTERN" "$ZSHRC_FILE"; then
    # Descomentar las líneas que contengan el patrón, pero no la excepción
    sed -i "/^#.*$PATTERN/ {/$EXCEPTION/!s/^#//}" "$ZSHRC_FILE"
    echo -e "> Security fingerprint \e[32menabled\e[0m"
    echo -e "> Restart needed to apply changes\n"
else
    # Comentar las líneas que contengan el patrón, pero no la excepción
    sed -i "/$PATTERN/ {/$EXCEPTION/!s/^/#/}" "$ZSHRC_FILE"
    echo -e "> Security fingerprint \e[31mdisabled\e[0m"
    echo -e "> Restart needed to apply changes\n"
fi

We create another alias requesting also the fingerprint before enabling/disabling the fingerprint check:

alias sectermux='check_finger_access bash /data/data/com.termux/files/home/Scripts/switch_finger_check.sh'

 

DISCLAIMERS

  • Blocking by alias is not a foolproof method. For example, if you want to block editing of files by creating an alias with nano, any user could bypass the fingerprint check by using any other editor or even modifying lines with sed or awk.
  • If you have an SSH server in Termux, when you try to connect remotely, it will ask for the fingerprint in Termux (although you will probably have to open Termux before you can connect again). It would work like a 2FA.

Comments