IPv6 privacy extensions for Android

Submitted by michielf on Fri, 05/13/2011 - 22:30
Tagged:

Update: Fix now available in update.zip format. All current Android phones have IPv6 enabled by default, which means that as soon as you connect to an IPv6 enabled network (e.g. via Wifi) you will start using IPv6 with an IP address that reveals your MAC address of your network interface. Since this is a static and unique number, which is not so easily changable (at least not on a smartphone), the MAC address quite uniquely links the IP address to your device.

Fortunately, the IPv6 specification has defined a method to prevent that. This method is described in RFC 4941 - Privacy Extensions for Stateless Address Autoconfiguration in IPv6. Unfortunately, these extensions, although present in the kernel, are disabled by default in Android.

Anyone who cares for their privacy (you should too!), would like to turn these on.

The procedure to do that is rather simple, although it requires you to root your phone. A popular tool helping you with this is SuperOneClick. I case you have a recovery ROM on your phone, you can also download the fix in update.zip format from the article about the DigiNotar CA certificates.

Once you've managed to enable root access, create a file 'sysctl.conf' with the following content:

net.ipv6.conf.all.use_tempaddr=2
net.ipv6.conf.all.temp_prefered_lft=3600
net.ipv6.conf.default.use_tempaddr=2
net.ipv6.conf.default.temp_prefered_lft=3600

This file should be placed on you device in the '/system/etc' folder, which is most easily accomplished by connecting your phone to a computer while USB debugging is turned on (this option is found in the Settings section on you phone under Applications / Development.

Use adb to connect to your device. adb is part of the Android SDK that you can download on the Android developer site.

First, the /system partition should be mounted with write permissions:

adb shell mount -o remount,rw /dev/block/mtdblock3 /system

Please note that 

mtdblock3

can be a different name on your device. To find out which device contains the /system partition use:

adb shell mount

Now copy the file to your device:

adb push sysctl.conf /system/etc/sysctl.conf

Remount your partition read only and activate the settings:

adb shell mount -o remount,ro dev/block/mtdblock3 /system
adb shell sysctl -p

That's it. Your device will use temporary IPv6 addresses that change every hour. Note that this fix will not survive a firmware upgrade!