Commit ddec1a8 limited the ability to block QUIC to only
connections matching the decryption rules. Some users may still want
to always block QUIC for different reasons, so this commit makes it
possible to choose the block policy to apply.
See #369
After ba7291c, the capture thread does not wait for the pcapd "su"
command to complete, so the old 3 seconds timeout is too short.
The timeout has been extended to 10 seconds and an informative
error is now shown.
This ensures that all the monitored data is actually exported, avoiding
a possible inconsistency between the data shown on the screen and the
exported PCAP data.
pcapd is now run without the daemonize option, allowing PCAPdroid to retrieve the
exit code and avoiding an unnecessary fork. Code-based error reporting is now
implemented in pcapd. Errors are now shown in the UI and common ones are localized.
The package name to UID mapping was not updated after reinstallation,
causing UID matching to fail and subsequent failure to block it.
Now the UID mapping is automatically updated whenever an app is
installed or uninstalled.
Fixes#338
TLS decryption is now only applied to connections matching
the user-configured rules. This allows running the decryption
along with the normal capture. The decryption whitelist has
been removed.
When both TLS decryption and PCAPNG are enabled, PCAPdroid now embeds
the TLS master secrets directly into the PCAPNG dump, without the need
for a separate SSLKEYLOG file.
Closes#185
PCAP dump to file has been reworked as follows:
- File selection dialog is not shown anymore when the capture starts
- The PCAP filea are saved to the Downloads/PCAPdroid folder
- Simplified mechanism to dump to an arbitrary URI (pcap_uri param)
- Add pcap_name parameter to specify PCAP file name
Overall, this simplifies user interaction and make it easier to
access the PCAP file.
Closes#183
It's now possible to whitelist specific apps, hosts or IP addresses
to exclude them from the TLS decryption. The whitelist is not available
for decryption in root mode.
Beware that since the host is only available after the TLS connection
is in progress, host-based whitelisting only works if a prior DNS reply
for the given host was seen, creating a mapping between the resolved IP
and the host.
Closes#266
- Stop blacklist download if it takes more than 10 sec
- Abort downloads if capture is stopped
- Update the UI status during each individual download
Closes#224
The DNS servers used in VPN mode are now configurable. It's now
possible to ignore the system DNS server and use the specified
ones. Cloudflare DNS is now the default DNS server, which has a
no-logs policy.
Closes#275
In VPN mode, it's now possible to redirect the traffic of specific
ports towards another host and port. This makes it possible to
integrate PCAPdroid with other apps, by forwarding the traffic to
a local server.
Closes#274
When whitelist mode is enabled, all the connections are blocked unless
an app is manually whitelisted. DNS resolution by netd is always allowed,
since it's not possible to determine the requesting app.
With this mode enabled, the firewall blocklist is still used and has
priority. For example, if an app is whitelisted but a block rule exists
for the given domain, the connection will be blocked.
The app provides a default whitelist with some essential services.
Closes#232
- If temporary unblocked, menu will show option to block it again
- Add unblock for 10 min
- Add temporary unblock to the apps view
- Show hourglass in apps view if temporary unblocked