No more “Root” features in Orbot… use Orfox & VPN instead!

Since I first announced the available of Orbot: Tor for Android about 8 years ago (wow!), myself and others have been working on various methods in which to make the capabilities of Tor available through the operating system. This post is to announce that as of the next, imminent release, Orbot v15.5, we will no longer be supporting the Root-required “Transproxy” method. This is due to many reasons.

First, it turns out that allowing applications to get “root” access on your device seems like a good idea, it can also be seen as huge security hole. I am on the fence myself, but considering that the ability to access root features hasn’t been standardized as part of Android, which 8 years ago I hoped it would, it means there are a whole variety of ways that this capability is managed and safeguarded (or not, in most cases). At this point in time, given the sophistication we are seeing mobile malware and rootkits, it seems like a capability that we did not want to focus time and energy on promoting.

Second, for those who do want to use root features, and know what they are doing, there are a bunch of other apps that do that job better than Orbot did. I admit, we let our code in that area degrade a bit, as the dev team themselves moved away from phones with root features. So, instead, if you really want to do cool things with iptables rules, you can use AFWall+, available on F-Droid and Google Play.

In order to make AFWall+ work with Orbot, you can follow Mike Perry’s excellent “Mission Impossible Android” guide in which he provides “DroidWall Scripts” necessary to enable automatic Tor routing on boot. You can also check out the sadly no longer maintained, but useful, Orwall app which was meant to take on all the root features of Orbot.

Third, we really, really think it is a bad idea to just send all of the traffic of your device through the Tor network. While it sounds like a great idea in theory, much like many “magical” Tor router kickstarter projects, it turns out that unless you can be assured an app is using TLS properly, then there is a chance that bad things could happen to your traffic as it exits the Tor network. Rather than promote some kind of auto-magical “enable Tor for my whole device”, we want to focus on ways to enable specific apps to go through Tor, in a way we can ensure is as safe as possible.

For instance, we now have an excellent browser app, Orfox, that is based on Tor Browser, and works perfectly with Orbot. If you just want to access the web and onion services, like the new New York Times onion at https://www.nytimes3xbfgragh.onion/, then just use Orfox. There is no need for any fancy rooting or transproxying. There are also many others that supporting routing through Orbot directly, such as Conversations.im, Facebook for Android, DuckDuckGo, F-Droid, OpenArchive and many more to come! If you are interested in enabling your app to work with Orbot, check out our NetCipher SDK, which makes it easy to do just that.

Fourth, Orbot has for some time supported use of Android’s VPN features as a way to tunnel traffic through Tor. You just open the left-side menu, and tap “Apps VPN Mode” or tap on “Apps…” on the main screen. Choose the apps you want to run through Tor, press the back button, and then the VPN will start up, rerouting outbound traffic back through the local Tor port. This method is 100% support by Android, and requires no vulnerabilities or exploits of your device to gain root access.


Orbot Apps VPN view, home screen with Apps… button, and VPN sidebar

I know that even with all of these justifications, some users will be disappointed with the fact we have removed root features from Orbot. Perhaps that will motivate some to reignite development of Orwall, or maybe help us make the VPN features in Orbot work even better. Another route is to support the Tor’s Android phone prototype or perhaps integrate Tor “root” features directly into a community Android OS project like Copperhead or Legacy. We would be happy to see all of these happen.

For us, though, removing root means we can focus on making Orbot more streamlined, more stable, and more compatible with Android, for our 2 million+ active users, who are mostly focused on finding an easy solution for unblocking sites and apps, and allowing them to communicate and browse freely without fear of reprisal.

 

 

17 comments for “No more “Root” features in Orbot… use Orfox & VPN instead!

  1. Melody
    2017/10/28 at 7:23 pm

    #booooooooooooooooooooooooooooo!

    This is a silly reason to drop support for the root access method in my opinion, they just got bored of having rooted devices (ostensibly for their own personal reasons, no less valid) and decided to stop development on this aspect of the app. There’s no *security concerns* here. Rooted users know what the hell they’re doing usually. There’s no good reason listed in this posting, only excuses.

    Hell I wouldn’t even be offended if they’d only said “It’s too hard to maintain this feature, moving forward it’s gone”, not this platitudinous mess of sad excuses.

    Worse is this is going to be a disservice to users, because they won’t update due to this stupid decision. I certainly won’t, and that pretty much sucks because that means I have to wait for someone else to fork Orbot and support the root method and possibly put myself at risk in the process. All to keep a feature that’s not incredibly hard keep functional, even if it’s not recommended to most users.

    • n8fr8
      2017/10/30 at 3:52 pm

      If you are a rooted user who knows what they are doing, then you should be using the AFWall+ / DroidWall method. That projects entire focus is on managing iptables rules, and they do it much better than we ever did.

  2. kgbme
    2017/11/02 at 6:57 pm

    I’m behind you 100% and what was said (& more) makes perfect sense. Only, if you would *fix* Orfox… There are, simply, too many about:config which have NOT been properly configured (way too many to list, latest build didn’t even have the punycode hack covered), heh. 🙂

    • Hans-Christoph Steiner
      2017/11/10 at 8:24 am

      We are working hard on making Orfox. The only limit to getting things fixed is people’s time. The more people that help with Orfox, the better it will be.

  3. GhostDZ
    2017/11/19 at 1:30 pm

    you can also edite only APN
    set proxy 127.0.0.1 port 8118
    save
    this work for all app browesr 100/100

    • n8fr8
      2018/01/05 at 11:59 am

      Sure, or just use Orfox browser!

  4. tekwyzrd
    2017/11/22 at 10:33 pm

    So, discontinue support for a useful feature, force users to paid or ad-laden vpn service/app, and render tor for android nearly useless… great decision. Uninstalling.

    • n8fr8
      2018/01/05 at 11:59 am

      Orbot has a free VPN built-in. You don’t need to use a paid or ad-laden service. Just turn on VPN in Orbot instead!

  5. 2017/11/25 at 4:32 pm

    I new to this and I haven’t got the foggiest clue of what I’m doing…. I’ve downloaded orbot and orfox together and I don’t feel it’s configured properly as I can’t stream videos from YouTube. I can’t find any help and nothing makes sense to me. The writing on the first browser page is green and says I’m connected with an address but I’ve noticed I should be yellow? Any help?

    • n8fr8
      2018/01/05 at 11:58 am

      Sounds like you are using it right, though streaming videos with youtube through Orfox browser isn’t really a priority feature for us, for now. That said, you might try using an app like “NewPipe” which is an open-source YouTube app, and then enabling the Orbot Apps VPN feature for that app.

      Can I ask why you are streaming YouTube through Orbot? Is YouTube blocked on your network?

  6. Mikey
    2017/12/09 at 12:09 pm

    Since the first day I got my new smartphone, almost two years ago, I set AFWall+ with Orbot + Transproxy + Orfox and yes, as I am just using a few selected applications ALWAYS over WiFi (and I had never a SIM card in the phone), I am routing all my Internet traffic through the Tor network. Some weeks ago I have installed Orbot 15.5.1-RC-2, since then my Intenet speed went down, for example, my current download speed when I update apps on Aptoide is rarely over 550Kbps. When I was using the previous Orbot with Transproxy, the download speed when I update apps on Aptoide was usually 3.1 – 6.1Mbps, mostly over 5Mbps. Moreover, with the current version most apps lost connection to the Tor network very often.

    • n8fr8
      2018/01/05 at 11:57 am

      You are using the VPN features now in Orbot? We are working to improve the performance of the VPN code in Orbot, but I can’t imagine it is 10x slower than transproxying.

  7. denny
    2017/12/26 at 5:25 am

    hi, i’m new here but have used Orbot almost one year w/Android for crypto coins, Verge specifically. every so often, like now, the wallet app won’t connect. it’s all trial and error but usually connects various messing with VPN on/off —- etc, etc. if you can publish an item on this topic??

    edit… i had to remove my website. apparently my writing looks like spam. i really hate that intrusion in my personal life. bot’s blocking my moves, totally destroys me.

    • n8fr8
      2018/01/05 at 11:55 am

      Perhaps the wallet app could add direct SOCKS or HTTP proxy support, so you can configure it to work with Orbot w/o needing the VPN?

  8. LeonidMew
    2017/12/30 at 11:21 am

    Is it possible to configure tor software on android such way, what only specified sites http trafic go trough tor, and all other go directly?

    • n8fr8
      2018/01/05 at 11:55 am

      You can do specific apps, but not specific sites. We could recommend using Orfox browser for some sites, and Chrome or another non-tor browser for others.

  9. Tim
    2018/01/05 at 6:40 pm

    Half the comments tbat are negative are misunderstanding how the new feature set works. If you were using trnasproxy the ONLY way to do it safely was with the firewall config ip tables. That is why every how to guide used it. Without you always had apps that leaked and there was always a race condition possible at every startup.

    So really it was nothing more than illusion of secuirty. Basically rooted users if they are doing it correct have lost nothing as they should ha e been using ip tables which bring the process back inot the kernel and not a side app. The later of which is a huve mess in android. Its ecosystem is a real mess and only recently are real efforts beimg made to fix it.

    So I do not see what all the bitchn about? Further if you do not like it you can always contribute and write hour own code or help fund it. What I find is the biggest complainer are useally the total free loaxers that never offer any help beyond wanti g to be sppon fed and expecti g everytbi g to be free. No not everyone but the vast majority. They tend to be the first when challenged to claim the donate this and that. Yeh right.

    Consider also that today 3/4 off all smart phoned used at least in the USA come from Verizon and AT&T and have there bootloaders locked with very few getting cracked anymore.

    So you still have a way for rooted deviced to get real transporxy the correct way using iptables and more focus now by the core devs to make vpn proxy work for the vast majority of phones that will likely never get rooted.

    I am at a loss to understand the kick back here as nothing that actually worked correctly was lost. Seems more a knee jerk recation to something being removed period regardless that it NEVER worked correctly from day 1. Why waste time on it that any app could break especially one targeted to do so which is the real threat.

Leave a Reply to Mikey Cancel reply

Your email address will not be published. Required fields are marked *