So, I just managed to install Fingertip on my Android device and I want to share how I did it
I have written this from my experiments. It might not work on your device, or in worst case, you might lose your data. Feel free to follow what I did, but make sure you understand what you are doing. I'm not responsible on what is happening to your device c:
My English is lame so sorry about my language c:
Feel free to share/copy/edit/remix or sell on OpenSea if you want
- Device Info
- Let's start
- Desktop on Android.. what?
- Rooting
- Installing Linux
- SSH client
- Installing dependencies
- Building hnsd
- Building Fingertip
- VNC client
- Running Fingertip for the first time
- Configuring Fingertip
- Running Fingertip
- Installing root certificate
- Configuring Android to use Fingertip
- Sites to test
- Legal
- Device: LG V20 H915
- Architecture: arm64
- Rooted: yes, using Magisk + system-as-root
- OS: Android 11 (Lineage OS 18.1) (custom build) with TWRP
- Other info: has
binfmt_miscenabled, using Spigen protection case (doesn't matter but i wanna put it here)
So, my goal is to make my device to be able to resolve Handshake domains with HIP-5 and DANE support without using any external DNS resolver or VPN. I'll assume you already know what Fingertip is
Since Fingertip is a desktop application, so let's install desktop on the Android device
It is possible to install Linux chroot on an Android device using Linux Deploy app (root required), then install desktop environment on it, which means we can run any Linux desktop application on our Android device!
The visualization of the system will look like this:
+---------------------+
| |
| Android |
| |
|+-------------------+|
|| ||
|| Linux ||
|| (with desktop) ||
|| ||
||+-----------------+||
||| |||
||| Fingertip |||
||| |||
||+-----------------+||
|+-------------------+|
+---------------------+
I just did some magic and my device is rooted
I've made some changes in the configuration on Linux Deploy
- Bootstrap
- Distribution: Ubuntu
- Distribution suite: bionic
- Installation type: Directory
- Installation path: /data/local/fingertip
- User name: fingertip
- Localization: en_US.UTF-8
- Init
- Enable: yes
- Init system: sysv
- SSH
- Enable: yes
- Port: 12345
- GUI
- Enable: yes
- Graphics subsystem: VNC
- Desktop environment: LXDE
As you can see, Linux Deploy already supports GUI out of the box. After pressing Install and Start the system, we are pretty much ready to build and setup Fingertip
Termux is an Android app which allows us to use Linux commands on your device. However, unlike Linux Deploy, its file system and packages are not similar to mainstream distros like Debian and Ubuntu. I've tried building hnsd without success due to libuv pthread issue. Linux Deploy allows us to debootstrap mainstream distros like Ubuntu on our device (Linux chroot), which means it will support more general Linux applications
So, let's use Termux as an SSH client c:
Since our Ubuntu (Linux chroot) is running in background and has SSH listening on port 12345 as we configured, we will need an SSH client to connect to it
There are many options/clients to choose, but I'll go with Termux because I already have it installed when I was making the decision
On Termux, run
apt update
apt install -y openssh
Connect to our Linux chroot
ssh -p 12345 fingertip@127.0.0.1
The password can be found on Linux Deploy configuration page. If you changed it, then it's your chosen password
Note that the password we typed won't be shown on the screen
We will need to install build tools and some libraries first, before we can start building and setup Fingertip on our Linux chroot
sudo apt update
sudo apt install -y git build-essential automake autoconf libtool libunbound-dev wget libgtk-3-dev libappindicator3-dev gir1.2-appindicator3-0.1
We will also need golang 1.16+. The current latest version is 1.17.6. Let's install it
cd ~/
wget https://go.dev/dl/go1.17.6.linux-arm64.tar.gz
sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.17.6.linux-arm64.tar.gz
echo -ne '\nexport PATH=$PATH:/usr/local/go/bin\n' >> ~/.bashrc
source ~/.bashrc
Now, we are ready for the next step
Fingertip requires us to place hnsd binary into the build folder. So, we will have to build hnsd from source first
Clone hnsd
cd ~/
git clone https://github.com/handshake-org/hnsd.git --depth 1
Build hnsd
cd hnsd/
./autogen.sh && ./configure && make
After we built hnsd, we will have hnsd binary at ~/hnsd/hnsd. We can now proceed to build Fingertip
Clone Fingertip
cd ~/
git clone https://github.com/imperviousinc/fingertip.git --depth 1
Copy hnsd binary to the build folder
cd fingertip/
cp ~/hnsd/hnsd builds/linux/appdir/usr/bin/
Build Fingertip
go build -trimpath -o ./builds/linux/appdir/usr/bin/
Just like SSH, our Linux chroot also has VNC listening in background. This is for the desktop view of our Linux chroot. It is needed to run Fingertip. And we will need a VNC client. I'll use VNC Viewer for that
In Address, just set to 127.0.0.1. The is password is same as shown on Linux Deploy configuration page
After we connected to our Linux chroot, to open a terminal window on desktop, click on the start menu (bottom left of the screen), then click System Tools > LXTerminal
When we run Fingertip for the first time, it will create a configuration directory at ~/.config/Fingertip/. We will later configure Fingertip inside the directory
On VNC, run
cd ~/fingertip/builds/linux/appdir/usr/bin/
sudo ./fingertip
Note that we use sudo because we will later configure Fingertip's recursive resolver to listen on port 53, which requires super user permissions, and the config directory will be created and owned by root
After it ran for about 3 seconds or more, quit the program by pressing Ctrl + C, or click on Impervious logo on the bottom right and click Quit
Let's change Fingertip's recursive resolver port to 53
On Linux chroot (can be done on SSH), run
sudo bash -c 'echo -ne "RECURSIVE_ADDRESS=127.0.0.1:53\n" >> ~/.config/Fingertip/fingertip.env'
Next time we run Fingertip, the recursive resolver will listen on port 53 instead of default port
Now, we are ready to run Fingertip
On VNC, run
cd ~/fingertip/builds/linux/appdir/usr/bin/
sudo ./fingertip
Fingertip will start running in background. If you restart your device, you will have to do this step again manually to start Fingertip
We can check Fingertip status on http://127.0.0.1:9590
To use DANE properly, we have to install Fingertip's root certificate on our Android device (not Linux chroot)
We need to convert our fingertip.crt into an another format Android can read, then install it as a trusted root certificate. The reason I choose to do this is because most apps don't accept user certificates
To start, let's copy our fingertip.crt from Linux chroot to Android internal storage
To do this, on Termux, run
su
cp /data/local/fingertip/home/fingertip/.config/Fingertip/fingertip.crt /sdcard/
Then, we install the certificate on our device. To do this, on Android Settings, go to Security > Encryption and credentials > Install a certificate > CA certificate, Then select fingertip.crt on internal storage
Now, the certificate installed as a user certificate. We can now move it to trusted root certificate store
On Termux, run
mount -o rw,remount /
mv /data/misc/user/0/cacerts-added/*.0 /etc/security/cacerts/
chmod root:root /etc/security/cacerts/*
mount -o rw,remount /
CAUTION: This will move all installed user certificates to trusted root certificate store. If you want to move only Fingertip's certificate, you can check the file by using ls -lha /data/misc/user/0/cacerts-added/. The most recently added file will likely to be Fingertip's certificate
After this step, reboot your device to make sure Fingertip's certificate is installed as a trusted root certificate
You may notice that even we have our root certificate installed, the Fingertip status page still says that it is not. This is because Fingertip checks for the certificate on the system, in this case, it's the Linux chroot, not Android. We can safely ignore this but because it bothered me so I decided to include the solution
To solve this, we just install the certificate on Linux chroot
On SSH, run
sudo cp ~/.config/Fingertip/fingertip.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
Then, restart Fingertip. The status page will now say that the certificate is installed
Now, we are ready to use Fingertip
On Android Settings, go to Network & internet > Wi-Fi > (your connected Wi-Fi) > Edit. Then, change the settings to the following
- Proxy: Proxy Auto-Config
- PAC URL: http://127.0.0.1:9590/proxy.pac
- IP settings: Static
- IP address: (your current local IP address) (ex. 10.0.0.10)
- Gateway: (your current gateway) (ex. 10.0.0.1)
- Network prefix length: (your network prefix length) (ex. 24)
- DNS 1: 127.0.0.1
Then press Save and reconnect to your Wi-Fi to make sure our settings are applied
Currently, I can't figured how to configure on mobile data, but I think proxy and DNS apps should do it
- https://proofofconcept/ — Handshake website with DANE enabled
- https://impervious.forever/ — Handshake website with DANE enabled on Ethereum (HIP-5)
This writing has no copyright. Check CC0 for more info
Writen by Noxturnix
I think it would be interesting to try getting Fingertip alongside Pi-Hole (on the same or a different node) so that when ads domain (for Handshake) pops up we could just add a blacklist / gravity list to block (to not resolve) those given list XD
BTW, Nice How-to / tutorial steps :)