Intra Gives Older Versions of Android Important DNS Protections

Credit to Author: Lily Hay Newman| Date: Wed, 03 Oct 2018 11:00:00 +0000

Thanks to a push over the last few years, led by Google and others, encrypted HTTPS connections protect more data than ever as it passes between web servers and browsers. But another fundamental component of web browsing too often remains unencrypted: the Domain Name System connections that act as the address lookups of the internet.

In Android 9, also known as Android Pie, Google has added a feature called Private DNS to start encrypting DNS on mobile. But for all the Android devices that won’t get an OS upgrade for awhile—or ever—the Alphabet subsidiary Jigsaw is releasing a free mobile app called Intra that can offer that additional layer of web protection to billions of mobile browsers around the world.

To find the site you’re looking for, web browsers first connect to a DNS server, essentially an address book that looks up the site you want and shows your browser the path to get there. But since this DNS connection is often unencrypted, attackers can find ways to steal your browsing data, or trick your computer into connecting to tainted DNS servers that take you to fake, malicious sites. DNS manipulation can even be used as a form of censorship, redirecting traffic away from certain sources of information or effectively blocking sites altogether.

“DNS protection is important all over the world, but it’s especially important in places that don’t have strong protection for freedom of expression," says Ben Schwartz, a software engineer at Jigsaw. "And those are also places often where users can’t afford the latest and greatest devices, but we want to make sure we protect them to the greatest extent possible. So Intra takes this private DNS feature that we introduced in Android 9 and in effect makes it available on every Android phone made in the last seven years."

Journalists in China or activists in Iran may be the first to jump at the chance to use these protections, especially if they have older phones, but Jigsaw says it hopes to spread awareness to everyone about the need for DNS privacy. To use Intra, you simply download it and turn it on. From there, it automatically works behind the scenes to encrypt your DNS traffic. Similarly, to use the Private DNS feature on Android 9, you can navigate to Settings > Network & Internet > Advanced > Private DNS.

Android Pie implements the feature with an encryption protocol called DNS over TLS, while Intra uses a newer protocol known as DNS over HTTPS. Both protocols are effective, and closely related, but Intra uses the newer version for maximum flexibility and compatibility with all different networks and devices. Android Pie users can download and use Intra if they want more choice, or if they find that the app integrates more seamlessly into their browsing.

"It’s especially important in places that don’t have strong protection for freedom of expression."

Both Intra and Private DNS also let users choose the DNS service they want to use. This is where Intra can connect with other efforts to safeguard DNS privacy. One example is the internet infrastructure company Cloudflare’s 1.1.1.1 DNS resolver, which is encrypted and doesn't log or track user data. In recent years, a number of organizations have identified DNS manipulation as a growing threat, and have launched private DNS resolver services to encrypt more DNS traffic. Some classics include Cisco's OpenDNS project launched in 2006, and Google's 8.8.8.8 from 2009. But as DNS becomes more of a focus for attackers, other organizations like Mozilla have taken additional steps this year.

Insecurities in DNS are built into the foundations of the internet, though, and making improvements is complicated. Developers at Jigsaw found that retrofitting Intra to work on old versions of Android was challenging. "We came up with some creative new ways to use existing APIs that have been present in Android since Android 4.0," Schwartz says. "It was sort of a puzzle where we said, 'we have this new feature that we were able to build into Android. Is there some way to also make this available on phones where we can’t improve the operating system anymore?'"

In a sense, the goal of Intra is to make itself obsolete by raising awareness about the need to bake DNS privacy features into operating systems and web services. In the meantime, Jigsaw says it has seen a lot of latent demand for the service. Partly inspired by a recent Open Observatory of Network Interference report that documents DNS manipulation being used to censor news outlets in Venezuela, Jigsaw trialled Intra in the country. "We initially tested Intra in Venezuela where we had heard and observed that DNS manipulation is frequently used to suppress journalism and political activism," says Justin Henck, a product manager at Jigsaw. "From that very small test Intra spread by word of mouth to reach thousands of users around the globe, which both shows that there’s a lot of demand and that DNS manipulation is a global problem that people are trying to protect themselves against."

Jigsaw can potentially reach billions of users through Android, but it will need to be part a concerted industry movement to do for DNS what has already been done with HTTPS.

https://www.wired.com/category/security/feed/