afwall leaks Wi-Fi traffic for an blocked application for a short time[kingroot issue]

[towlie]

I blocked Whatsapp for Wi-Fi and LAN and allowed it for mobile connections.
But when I reenable Wi-Fi the android connection manager shows me that some kbytes slip through the Wi-Fi device. (Enable Wi-Fi, disable Wi-Fi enable Wi-Fi)

Note: This only seems to happen for a short time when the connection was established. Because all traffic is blocked after that.
Android 4.4.4

[towlie]

This is what the log shows when a wifi connection is established.

AppID : 10108
Application's Name: WhatsApp
Total Packets Blocked:  5
[TCP]173.193.230.99:443(5)

I guess it's not very helpful. Anything I can do to make the log more verbose? (if needed)

[ukanth]

Can you give me more details. How did you check the traffic?

[towlie]

It's from an android system programm which looks like this:
http://teckfront.com/wp-content/uploads/2014/09/See-WiFi-usage-in-Android-4.4-Kitkat-3.png
And shows traffic from whatsapp which is increasing when switching from mobile internet to Wi-Fi.

[towlie]

I now did check this with wireshark and compared it with the afwall log.
And as I can see there is really something going through. Even if it says it blocks this IP address. The IP address belongs to google, Probably GCM. Looks like it doesn't block all packets?

I would give you the wireshark dump but I cannot, will not post it here.

AppID : 10108
Application's Name: WhatsApp
Total Packets Blocked:  5
[TCP]172.217.18.46(5)

[towlie]

Wow after I tried to send a message with whatsapp it managed to bypass afwall after a few seconds.
It spammed a lot of DNS queries because afwall blocked a lot of them https://gist.github.com/towlie/bfbe9ecaa2860104b71b
This one found it's way throuh afwall : 158.85.58.12:443 e9.whatsapp.net

[towlie]

Here is the afwall log. https://gist.github.com/towlie/222e6247da4476879bb8
Which again shows that the IP was blocked which is not true.

[ukanth]

Hmmm. can you paste firewall logs -> export here. Along with uid for whatsapp ?

[towlie]

You mean I shall post everything I posted on gist in this post/issue?

[ukanth]

I'm sorry, not the logs, Firewall Rules ! I would like to see how the iptables rules has been set.
Menu-> Firewall rules-> export to sdcard (or) copy/paste the content.

[towlie]

uid:10108
https://gist.github.com/towlie/2f2de031e53412e53ca2

[ukanth]

do you have some other firewall installed or tried ?

I see some more chains like firewall

[towlie]

There are xprivacy (which recommended your app), Adaway and a rootapp called "king root" Don't know if these can be called firewall.

...

And wifi privacy

Afwall+ is completly unlocked by me in xprivacy.

[ukanth]

chain OUTPUT
455 58300 mark       all  --  *      *       0.0.0.0/0            0.0.0.0/0    

Chain firewall (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   5366  695K mobile     all  --  *      rmnet+  0.0.0.0/0            0.0.0.0/0           
 838 70901 wifi       all  --  *      wlan+   0.0.0.0/0            0.0.0.0/0  

Some other process is bypassing afwall OUTPUT chain with it's own.

[towlie]

Any idea how to detect what is doing this?

[ukanth]

execute these command in shell.

iptables -F
iptables -X

and apply the rules in AFWall+ . You should not see any chain's other than "afwall-" chains.

Now open program that you suspect (kingroot., etc) and observe the iptables rules wit the following command

iptables -L | grep mark

if you see the change, then the other program is bypassing. Only root program's can modify the iptables rules.

[towlie]

What is the last command supposed to print? It atleast shows something different when something changed but looks like dump. mark all -- anywhere anywhere
chain mark (1 references)
And indeed after starting king root those firewall entries reappear.

[towlie]

So what would this mean? Does this programm help programms to break out? And has this something to do with the original issue?

[towlie]

This is how it looks like when i do a reboot
https://gist.github.com/towlie/4d8a373c06759b9a1263

I disabled king roots root access in this case.

[ukanth]

last gist looks good me. in your case kingroot is doing suspicious activity. I will see if I can detect these behavior without sacrifice the battery.

[towlie]

The original Problem still occurs with this rule file. Btw do you have an advice how to replace kingroot? Using supersu seems to be impossible...

[ukanth]

I'm aware of that problem when switching between interfaces. I use supersu or CM built-in root.

[towlie]

Shall I create a new issue with the necesary information? This is kind of a mess here.
Offtopic:
I finaly managed to remove kingroot and replace it with supersu (Kingroot must have done something to prevent this on 4.6 and above).

[ukanth]

not required. Thanks. Please close this issue.

[ukanth]

Since I've referenced this on my changelog, here is the reason why kingroot support is dropped in the latest version.

AFWall+ uses su to update iptables rules. Based on this report, I came to know that kingroot (su) itself updates iptables rules to bypass the OUTPUT chain set by afwall to connect to internet.

Atleast for now I don't have any workaround or solution. If I ever found a way to fix this without major change, then I'll enable it back.

Please feel free to open up a new issue if anyone wants to discuss further.

[towlie]

Well I managed to remove king root and use supersu now but it was not getting better.

[Gitoffthelawn]

@ukanth Can you think of any legitimate reason why KingRoot should be modifying iptables?

[ukanth]

@Gitoffthelawn , To be frank, no idea. May be If i get some time this week, i will try rooting with kingroot to find out more.

[Gitoffthelawn]

@ukanth I have heard plenty of speculation that KingRoot might contain a malware payload, but I've never read any hard evidence to substantiate this claim.

Maybe you'll be the one to break the story.

[towlie]

I see that you are confident that this is caused by king root. Did you find an evidence for this?
Because I still have that issue without King root.

[ukanth]

we are talking about two issue. One with kingroot, one when switching between interfaces. Second one in still not resolved. Thanks.

[oneaty]

I believe I have the same issue.
I'm running Android 4.4.4 ona LG-E400 and since a couple of weeks ago Afwall refuses to activate.
I didn't use Kingo to root, but maybe some app alike.
Are there any plans to fix this?

[danielfpferreira]

@towlie can you please share how you managed to replace King Root with SuperSU?
I've tried a few times with different processes but ended up in a boot loop every single time

the main reason that I've installed afwall was to block kingroot web access.
I've checked my iptable rules and they seem to ok. No extra rules and kingroot accesses are logged as blocked in afwall

[towlie]

I don't know the exact steps. I used an old version of kingroot "KingRoot-4.0.0.233-release-201505071219_105001" installed supersu and made it a system app with /system/app mover.
Uninstalled kingroot and then try to install/update the supersu su binary?
I think you should try to install the su binary from super su before uninstalling kingroot. It also has some kingroot uninstall routines.

You can also block internet access for kingroot with xprivacy.

I think newer versions of kingroot are harder to remove.
This also made me worried https://www.facebook.com/kingrootmobile/posts/1607783962814953

[danielfpferreira]

thanks I will try to downgrade KingRoot, with my Android version I can only root with KingRoot 4.5+.

They've deliberately started blocking SuperSu installs with the justification that it was removing KingRoot in an incorrect way http://forum.xda-developers.com/showpost.php?p=61899071&postcount=1277

I would rather not use an app that has strange behavior, I've analysed a few packets and they send too many requests with an encrypted payload.

[Gitoffthelawn]

@danielfpferreira I would agree. Anything that has root access must be open-source, with the ability to compile it on your own. Encrypted payloads could be transmitting anything.

[ukanth]

When I decompiled the kingroot apk, I found out it's modifying the iptables to bypass firewall and the above iptables rules were present in multiple user reports. That's the reason I dropped support for kingroot. AFWall+ itself depends on superuser/su to execute iptables commands and kingroot can easily bypass and defence mechanism put by AFWall.

[gerroon]

Kingroot is a spyware, anyone using this app is out of their minds. This app makes constant connections to bunch of chinese ips.

[TriMoon]

Why not check the iptable rules on a predefined timeing and inform the user about any changes that AFWall didn't make?
After that just clear the rules and initialize with the rules that AFWall makes?
That way if any other app like KingRoot or others try to modify the rules in future we will be informed AND the mallware blocked automatically...