Tor Support for iOS and Android

Matt_Hill · June 11, 2020, 10:04pm

@tgreer and @kspearrin

Feature name:

Connect to your Bitwarden Server over Tor!

Feature Description

For iOS and Android apps, users can enable Tor in settings menu
If Tor is enabled, a Tor circuit will be established on app startup and closed on app background
If Tor is enabled and connected, users can enter a Tor “.onion” URL for their server address

Clients / Repos Affected:

Mobile

Timeline to completion (estimate):

1 month

ETA: Q3/2020

tgreer · June 12, 2020, 7:27pm

Welcome, @Matt_Hill! Thanks for submitting this, very interesting. Let us take a little time to think it over

kspearrin · June 12, 2020, 11:58pm

What would need to be done to support this? I am not familiar with using Tor.

fries · June 13, 2020, 4:05pm

At the end, all you want is proxy support, no? You set up Tor on your device which runs a local proxy and then enter the proxy in third party apps, e.g. Bitwarden, so that they use your local proxy to connect to Tor?

ProofOfKeags · June 13, 2020, 7:56pm

Hi kspearrin. On mobile there isn’t too much that needs to be done.

The overview is that any HTTP connections need to be made over a SOCKS5 proxy. The standard iOS and Android HTTP libs support this straight out of the box. The only new addition to the bitwarden software is to start the Tor SOCKS proxy up when the app starts up. On iOS the Tor.framework library can be used. On the Android side we have modified the TorOnionProxy library to manage the tor instance which can be found in our capacitor plugin here. On iOS we can’t rely on an external proxy since Apple disallows that.

Matt_Hill · June 13, 2020, 7:57pm

What @ProofOfKeags said. We are working together. Regarding the UI/UX around this, would probably be good to discuss how you’d like it done.

We want to implement this feature because our own Embassy product allows our users to fire up a Bitwarden Server on a Tor V3 Hidden Service on their own physical server with the push of a button. By hosting Bitwarden on a Hidden Service, users don’t have to worry about setting up a domain, a static IP, https, or port forwarding. It just works.

Currently, the only way our users can access their Hidden Service Bitwarden Server is through the Bitwarden Extension for Tor Browser or Firefox. It would be awesome if they could download the Bitwarden mobile app and provide their server URL there too.

ProofOfKeags · July 12, 2020, 12:25am

I wanted to follow up here. We are willing to put the work of getting Tor into Bitwarden. The question we have is as to whether or not it would be accepted, where the code is, and if there would be a preferred approach that you have for it.

Have you had a chance to think about this?

tgreer · July 13, 2020, 3:01pm

Hey guys! Sorry for the delays here - it’s been a fast-paced couple of weeks! Can @kspearrin and I take just a bit longer to discuss?

Matt_Hill · July 14, 2020, 3:40am

Of course. Standing by.

Matt_Hill · September 5, 2020, 5:40pm

Hi, don’t want to let this languish. We have more and more customers asking for this feature. They would love to be able to use the Bitwarden mobile app with their own Bitwarden Server over Tor. As before, we are happy to implement this feature for you.

tgreer · September 6, 2020, 12:45am

@Matt_Hill - I absolutely understand. Chad and Kyle have been very busy prepping for this next release and just, unfortunately, have not had time to review this in-depth.

cscharf · September 9, 2020, 10:48pm

@Matt_Hill, @ProofOfKeags, we would be perfectly willing to accept this and support it if you wanted to get this done. Kyle and I had a brief couple of messages and there are only a few questions we would want to address through your approach and investigation (which these questions may answer some of yours in regards to areas of impact, the “where” and what):

If these are linked through the native Android and iOS frameworks, we would need to know how that would work with Xamarin, which we are using for our mobile apps (along with Xamarin Forms)
Also, would the UI settings for this be on the same configuration screen as the server/service URLs before logging in?
Is any additional support necessary for the server-side of this implementation? Docker container, reverse proxy/nginx configurations, etc.?
If #3 above is yes, we would need the ability to disable this for organizations/enterprises using self-hosted or Bitwarden cloud who’s internal security policies prevent or deny the use of Tor on corporate networks or corporate assets/services.

The likely starting place in mobile would be within the UI/UX approach, our preference would likely be a setting on the EnvironmentPage and work backwards from there regarding the settings.

I imagine this would also be structured as a service that would be injected into the necessary handlers to be invoked which wrap the native implementation(s) of the necessary APIs/frameworks. Quite not sure how this would work to be honest but that would need to be figured out. All service injection has abstractions setup either in Core or App, this I believe would go in App (but not married to that).

Per your thought that on background the connection would be closed and on open re-engaged, I believe the areas of concern for hooking into that are in the primary App.xaml.cs file.

I would recommend taking a look at how you would approach doing this within Xamarin, or working around Xamarin w/o breaking stuff (obviously ), but ultimately would need the settings from the app’s primary screen (dotnetcore + Xamarin) to feed into the behavior. Please let us know if you have any other questions.

Also looping in @mp-bw as he’s much more familiar with the mobile platform than I am and can offer any other color or help/assist answering any questions you may have as you explore your technical approach. Any draft PRs are welcome as well, feel free to assign to me and I’ll add anyone else necessary for review from our end.

Thanks for your patience!
~ Chad

mp-bw · September 10, 2020, 1:40pm

I have some reading to do but it sounds fascinating. I can’t yet comment on our implementation without fully understanding the OS-specific proxy implementations (including the mobile app lifecycle shenanigans have to be accounted for). We also need to confirm that each library’s license permits our use (just thinking out loud, I haven’t looked yet).

Matt_Hill · September 10, 2020, 2:26pm

This is great news! I personally can’t wait to use the Bitwarden mobile app. To answer your questions:

We will build a Xamarin Tor plugin, which will enable Xamarin-based apps (including Bitwarden) to communicate over Tor through Socks5 proxy with a simple API. We already built a Capacitor plugin that accomplishes the same thing for Ionic apps.
Yes. It would be very minimal. There are two choices: either (1) we don’t change the UI at all. If a user enters a .onion URL for their server, we will fire up the Tor daemon and connect, or (2) we introduce a toggle such that the user can explicitly enable Tor and also enter a .onion URL. Personally I prefer the former, since the latter could result in confusion or wonky states where the user has Tor enabled for no reason, or they have an .onion URL entered but have Tor disabled. Either way, the Tor Daemon would only be started (and would always start) on app initialization if Tor is enabled by one of the methods above. No need to run a Tor daemon for non-Tor users. The app and its normal use case would not be affected at all by this “secret” feature.
No, this purely on the client.

We are quite familiar with running Tor on iOS and Android apps and also adhering to the guidelines of both stores. This feature is totally benign and does not require additional permissions from the user. We are also familiar with licensing and will make sure there are no issues.

We will begin digging into Xamarin and the Bitwarden code and let you know if we have any questions. Thank you!

mp-bw · September 10, 2020, 3:21pm

We will build a Xamarin Tor plugin

@Matt_Hill Awesome! Would this be something we could consume as a NuGet package?

(1) we don’t change the UI at all. If a user enters a .onion URL for their server, we will fire up the Tor daemon and connect

Agreed, this is the way to go.

Matt_Hill · September 10, 2020, 9:23pm

Yes, I believe this will be a NuGet package.

Matt_Hill · October 1, 2020, 6:25pm

Alright, we are ready to get started on this. Has the Bitwarden team made any custom Xamarin plugins we could use as a template? Upon a cursory search, it appears most documentation around creating plugins are a couple years old and may have issues with newer versions of VS 2019, especially for Mac. Please let me know if you have any suggestions, otherwise we will just figure it out as we go

mp-bw · October 1, 2020, 6:49pm

Unfortunately no, that’s uncharted territory for us as well.

b0kah · January 31, 2021, 3:04pm

This request may in the end be not at all what you want. Consider this: if you are self.hosting bitwarden in your home lab and it is running on your own home land line, then the public IP of your home lab is connected to your real life identity. Now if you surf with torbrowser and the bitwarden connection uses the same exit node as your surf traffic, then it is easy to link your surf traffic to your home lab IP and thus to your identity.

What you really want is that the bitwarden traffix uses a different exit node than your surf traffic, our not the tor network at all. Then it is indenpendent of your surf traffic. Shoudl be no problem to reveal that you are using a self-hosted bitwarden instance as long as the access cannot be correlated to the surf traffic.

dr-bonez · February 10, 2021, 10:58pm

That’s only if you use exit nodes. The main purpose of this is to use a tor hidden service, which would not leak your home IP.