I'm one that takes precautions with my data when on unfamiliar or untrusted networks. While for the most part, I trust TLS to handle my data securely, I find that it doesn't take much effort to setup a transparent proxy on my Android handset, to route all packets through an encrypted proxy.
In this case, I happen to work for the greatest ISP in the world, and so I have an SSH server in the datacenter. I wholly trust the network from my SSH server to the border routers, so the more traffic I can send that direction, the better. I realize that may not be the case for all of you. However, if you have an externally available SSH server on a trusted network, this post may be of interest.
First, setting up this proxy requires having root. I'm not going to cover how to get root in this post. You can find it elsewhere. Next, you'll need to apps installed; namely ConnectBot and ProxyDroid. Both are Free Software apps. Also, you can do this with SSH Tunnel on its own, if you have Android 4.2.2 or older. Unfortunately, it doesn't work for 4.3 and newer. I have Android 5.1, and it isn't setting up the firewall rules correctly.
Once they are installed, you'll want to set them up. Here I walk through setting up ConnectBot.
- Pull up ConnectBot from your app drawer, and setup a new connection by typing in the username, host, and optionally port.
- When asked if you want to accept the server's public SSH key, verify the key, then tap "YES"
- Enter in your password to connect, and verify that you can successfully connect to the remote SSH server.
- Now, disconnect, sending you back to the app's landing screen.
- At this point, long-tap the SSH profile you just created, and tap "Edit port forwards".
- Tap the menu in the upper-right hand corner of the profile, and tap "Add port forward".
- Give the forward a nickname, such as "ProxyDroid".
- Tap "Dynamic (SOCKS)" from the list under "Type".
- Provide any source port. It must be above 1024, and cannot be currently in use. I find "1984" apropos.
- Leave the "Destination" blank, and tap "CREATE PORT FORWARD".
You now have sucessfully created a SOCKS listening port on localhost:1984. Now, we need to create software firewall rules in the phone, to globally forward all packets through localhost on port 1984, creating our transparent proxy. As such, pull up ProxyDroid, and I'll walk you through setting that up:
- In ProxyDroid, set "127.0.0.1" as the "Host".
- Match the port with what you set in ConnectBot's port forward ("1984" in our example).
- Set the "Proxy Type" to "SOCKS5"
- Scroll to the bottom of the app, and check the checkbox for "Global Proxy".
- OPTIONAL: Check the checkbox for "DNS Proxy".
That last step will tunnel DNS requests through the proxy also. Unfortunately, I have found it to be buggy, and unstable. So, leaving it unchecked, unfortunately, gives you a stable encrypted SSH proxy experience.
Now that both are configured, connect to your remote SSH server with ConnectBot that you have configured, then enable the proxy by tapping the slider next to "Proxy Switch". You should have a running global SSH proxy from your smartphone to the remote SSH server, where all packets are being sent. You can visit a site that returns your external IP address, such as http://findmyipaddress.com/, to verify that the source IP address of the HTTP request is the same IP address as your SSH server. If so, your packets are being tunneled through your SSH connection.