[HOW TO] Use public wifi with NO security risks! Protect data!

basketthis

Well-known member
Nov 22, 2010
1,470
473
0
Secure shell, more commonly known as SSH, allows for two devices to communicate over a secure, encrypted protocol.

Scenario: You're in a public restaurant, hotel, street, etc. and want to access the free wifi connection to access the internet, your bank account app, Gmail, and facebook but don't want to compromise your security. "Why not use 3G?" you say. Using wifi will save battery life and increase internet speed for apps that are data intensive ie, Netflix, Pandora, etc. 3G also isn't always the best option as 3G is dependent of towers and signal strength.
Solution: Create a secure connection to a trusted host to route all of your traffic from your phone!

Okay, at this point, if it is not clear what is being discussed here, please do a little reading on ssh tunneling. There are many capabilities and benefits to it. Mainly, securing all of the information being sent over a connection to a secure, trusted connection.

This writeup will contain the information needed to setup an Android phone properly. Setting up the ssh server or your own, home ssh server are another topic. This is not for the unexperienced, however I have attempted to make this tutorial for the phone as user-friendly as possible. Running a ssh connection from home is free and requires some setup. Using a host requires a small monthly payment and doesn't require any setup.

Issue: SSH connections with passwords can be sniffed and "stripped" for information and the information can be read by hackers. Even worse, hackers could ghost the connection and get into all of the user's personal information, codes, account info, etc.
Solution: Create SSH connection using public/private keys. A side benefit to the use of keys is not having to type in a password everytime the phone is connected to the server.

Issue #2: Some public/private keys can be decyphered and decrypted to obtain the contained information.
Solution: Use only RSA keys with 4096 size creating the unlikely possibility that anyone can decypher your information. (the two types are DSA and RSA of which DSA is less secure, RSA is said to be uncrackable) reference (Do not follow instructions in the link, it is only provided as an explanation of the two algotrithms.)

Issue #3: Currently, solutions offering ssh public/private key capabilities do exist, however they only allow for ssh or terminal interaction. Very command heavy interface which is not desireable.
Solution: Use a way that will route all phone traffic through the secure connection and to an end host, then to the internet. Therefore, use of Android apps is normal and no command line/terminal interface is necessary. Very user friendly. :)


There is a way to create a completely secure connection. One that can not be sniffed (technically, can be sniffed on an open connection, but nothing is gained from the sniffing because the information is going through a secure tunnel) for information, nor can be decrypted. In order to do this on an Android phone, there are two processes that need to be completed. The SSH connection must be established with SSH keys and then all of the traffic must be forwarded through the tunnel. The following instructions provide the process to accomplish this. There are other ways of doing this. This is the most user-friendly method of doing this.



The first part of this tutorial will explain how to create the connection using ssh and the connectbot app to access the ssh server and transfer the ssh key.
The second part of this tutorial will explain how to tunnel all of the Android phone traffic through the ssh connection created by the first part.

Requirements:
-SSH server/host computer
-Rooted phone
-ROM with iptables binary and NAT supported (if your ROM doesn't have this, ask your dev to support it ;))
-Follow instructions provided
-Two downloads provided
NOTE: There is a way to have this connection tunnel through a normal home computer. It involves setting it up as a server. This could compromise security if not done properly. However, there are options to purchase a secure shell at low cost. Again, these instructions will not include how to setup these servers, but how to connect the Android device to the server. This tutorial is assuming that the ssh server is up and running prior to starting the following insructions.
 
Last edited:
Re: [HOW TO] Use public wifi with NO security risks! Protect data

First, the IP address for the host connection is needed. If using a home computer, the DNS will be used. Refer to this to find the DNS of a home computer.

Download the connectbot app from the market and the AutoProxy app below.

Load them to the sdcard of the phone and install them.

Open Connectbot. Hit the key on the phone to bring up the menu. Select 'Manage pubkeys'. Hit the same key to bring up the menu again and select 'Generate'. Type anything into the nickname. Make sure that 'RSA' is selected. Type 4096 into the 'Bits:' box or slide the slider to 4096. Type in a password. It is suggested to make a difficult password as this allows access to the keys being used to access the secure connection. There is a tradeoff involved in this and it is up to the user to decide how difficult the password will be depending on frequency of use, accessability to the password, and the probability that the key will be stolen and the passkey will be brute forced (highly unlikely). 'Load key on start' and 'Confirm before use' are up to the user to select or deselect. Then tap 'Generate'. Complete the process of sliding finger over the blue box until 100% is reached and wait for the key to be generated. Long press on the key that will be used with this particular server. Select 'Copy public key'.

Using wifi from this piont on is recommended.
Once the key is generated, a connection needs to be established. The key needs to be loaded to the server's key directory so that the server can check for and verify when trying to connect. From the connectbot main menu, select 'ssh' from the dropdown menu. Type in the username@hostname: port without the space between : and the port. It is written that way because the forum wants to make :,port into :port. (only use port if your port is different from the default ssh port 22) and select 'done' on the keyboard.

The phone will connect to the server. Enter the password to login. Now that the connection is established, we can transfer the public/private key to the server to allow the phone to login securely without using a password.

Commands are:
cd .ssh
vi authorized_keys

The prompt is now in vim editor. Paste the key into the prompt. Now this process is a PITA to do correctly so have some patience until the process is done correctly. When I did mine, it wouldn't completely paste all of the text and left out the very first part of the key which was a single letter 's'. Took me a few minutes to figure out but simply adding the 's' to the beginning fixed the issue. So, make sure that the beginning starts with 'ssh-rsa' without the ''. For help with the commands and how to use vim editor use: this. Now save the file using :wq

Verify the key was written with:
cat authorized_keys

Now, long press on the connection and select 'Edit host' then 'Use pubkey authentication' and select the key for this server. The passkey for the key will need to be entered and unlocked from the 'Manage pubkey' menu or typed in when logging into the server using the key.

Now, tap the server to select it and connect.
NOTE: If the connection doesn't work, check the key. Paste it into a text message prompt or something and look at the key to be sure it matches the results of the 'cat' command. If not, start over and complete the step above until successful. :)

Once the connection is successful, we need to setup the local forwarded port. Long press on the connection in connectbot that will be used. Select 'Edit port forwards'. Hit the key on the phone to bring up the menu and select 'Add port forward'. Nickname can be anything. Type: Dynamic (SOCKS). Source port: 8080 (this can be any number, I choose 8080, choose something that you can remember. Usually a 4 digit number is good for general purposes). Save it and make sure there is not a line through it in the port forward menu (tapping on the port forward will enable and disable the port. A line through the port signifies that the port is disabled).

There is a great video from the developer of connectbot [url="http://www.youtube.com/watch?v=i0wBmC-5Vu0]here[/url] showing how to load the RSA key to the server and connect.
 
Last edited:
Re: [HOW TO] Use public wifi with NO security risks! Protect data

The app AutoProxy needs to be configured to route all of the Android phone traffic through the ssh tunnel created in the first part. Without doing this, none of the traffic from the Android phone will be securely protected through the tunnel. It will continue to use the public unsecured public wifi connection until this app is up and running.

In AutoProxy, hit the key on the phone that brings up the menu. Select 'Add New Proxy'.
For 'Proxy Host' enter: localhost
For 'Proxy Port' enter: 8080 (in my example or the number that you chose earlier)
For 'Proxy Type' select: socks

Now all internet traffic from the phone is routed through the secure SSH connection to a secure connection with a key that can not be decrypted! :D




I would like to thank: daveba for creating the original TransProxy app. Moronig for taking the TransProxy project and turning it into the AutoProxy app. Kenny Root and Jeffrey Sharkey for the connectbot app!


FAQ:
Q: Why couldn't I just use SSHTunnel app to do this same thing?
A: The SSHTunnel app will create a connection to the server using only a username and password login process. Disabling the username and password process on the server is one of the greatest ways to increase security on the server. Not only that, it becomes bothersome to type in the username/password combination time after time.

Q: Can I just use AutoProxy by itself?
A: AutoProxy only allows for username and password login. Again, this can be considered a security vulnerability and the most secure method is written out here.

I will attempt to keep this thread up-to-date including the FAQ so that this process will be as clear as possible and the best solutions will be provided.
And, as with any of my writeups, I welcome improvements or corrections!! Will add any contributions to the appropriate post.
 
Last edited:
Re: [HOW TO] Use public wifi with NO security risks! Protect data

Thanks for this. I got this to work after some time, but was led here originally trying to get SSHTunnel working with public key, since the author claims it supports it now (contrary to your FAQ). Well, I couldn't get that to work, using the limited info I could find on it, so I gave connectbot + AutoProxy a shot.

One thing about the authorized_keys file edit, I was never able to create the file successfully over the remote connection, mostly due to inconsistent response to entering the :wq command in vim. Not sure if it had to do with my hardware keyboard (EVO Shift). I finally got around this by creating the text file on the server (my proxy/ssh server is a home computer running cygwin) with notepad++. Not sure if that is an option on a hosted shell, but I would assume creating it locally and uploading it might be an option.
 
Re: [HOW TO] Use public wifi with NO security risks! Protect data

Thanks for this. I got this to work after some time, but was led here originally trying to get SSHTunnel working with public key, since the author claims it supports it now (contrary to your FAQ). Well, I couldn't get that to work, using the limited info I could find on it, so I gave connectbot + AutoProxy a shot.

One thing about the authorized_keys file edit, I was never able to create the file successfully over the remote connection, mostly due to inconsistent response to entering the :wq command in vim. Not sure if it had to do with my hardware keyboard (EVO Shift). I finally got around this by creating the text file on the server (my proxy/ssh server is a home computer running cygwin) with notepad++. Not sure if that is an option on a hosted shell, but I would assume creating it locally and uploading it might be an option.

Heres my very delayed response. Lol: That was an issue for me too. I wasn't sure if the instance was particular to my phone/setup so it made more sense to refer to the "generic" way in the instructions. Glad you figured it out!
An author can claim anything. For it to actually work is another story. :p