Free Encrypted 3G Web Access on T-Mobile Smartphones
by EvilGold
After reading the article in 26:4 about T-Mobile, I was inspired to look into things a bit more and see what other holes might exist on T-Mobile's 3G network.
Because I have a prepaid T-Mobile plan with no data subscription, I didn't have to worry about getting overage charges if my investigation turned up nothing. So with nothing to lose and the potential of free 3G access on my G1, I got to work.
Disclaimer: This article is entirely for informational purposes only. I am not well versed in how T-Mobile monitors data usage. This may only work if you have a flex pay account. If you're trying this on with a post-paid plan, then you might end up getting charged. I strongly recommend that you try these techniques only with a prepaid account. Everything I mention here was only tested on a G1 Android phone, but most of the information could probably be applied to any smartphone. With that out of the way, lets get to exploring.
The first discovery was with an application I had already been using with Wi-Fi for months called Meebo. I had set Meebo to automatically connect whenever my phone was turned on (since I am usually around a Wi-Fi connection anyway), but I noticed one day that it had connected on its own, without any available Wi-Fi around.
After trying it out for a few days with Wi-Fi turned off, it still worked. This in and of itself was a nice find, because it meant free unlimited texting to not just other phones (using AIM's SMS support), but also to any contacts on Jabber. (Meebo supports a huge number of protocols including AIM, XMPP, and Yahoo!).
It wasn't too long before I came across another application called "WikiMobile" which also worked with the non-subscriber 3G connection. I tried using another chat client, and Google's included Gtalk client, but neither worked. Wikipedia.org was still blocked in web browsers. Something was definitely opened up for these two apps to work, even when most other apps would fail to connect or get redirected to a page telling you to upgrade to a data plan.
So what could these apps be using that most others probably didn't?
It turns out that both Meebo and WikiMobile where using HTTPS instead of plain HTTP to access the web. Knowing this, I disabled Wi-Fi on my phone, and pointed its browser to Gmail.com, and it worked! So, of course, any HTTPS proxy would work too.
Sure enough Kuvia.eu worked just fine. As did a number of other HTTPS proxy sites. The next thing I tried was using SSH to connect to a server running on port 443 (normally HTTPS). This too worked perfectly. With SSH access comes nearly unlimited potential. Still, there was more to be found.
Another trick to get full HTTP access is to use a program called "Secure-Me" (available in the Android Market). To set up Secure-Me, run the app and, under the proxy settings, set 127.0.0.1 as the hostname and 4289 for the port. Once you have things set, click "turn on" and Secure-Me should launch your web browser, which now has full 3G Internet access over a secure connection.
While Secure-Me is a pretty simple way to get things going, it wasn't the first thing I thought of. Another, slightly more complicated, method is to use an SSH tunnel along with a remote proxy. You will need to have both a working SSH server (listening on port 443) and proxy. I won't cover setting these things up here (Google is your friend), but I will mention that I found the proxy called "Polipo" the quickest to setup (www.pps.jussieu.fr/~jch/software/polipo), although many others should work as well (Squid, privoxy, etc.).
To use SSH as your proxy you will need to download the ConnectBot SSH client for Android (code.google.com/p/connectbot). Once you've connected to your SSH/proxy server with ConnectBot, hit the menu key and go to the port forward option. Here you'll want to set up a local port forward, with the source being a port above 1024 (I used 2200), and the destination being 127.0.0.1:#### (with #### being the port your remote computer is running its proxy on.
Once you have a proxy running with SSH, the next step is to get your web browser using it. The easiest way to do this is using a program called Anonymous Proxy (Secure-Me can also be used, as its mostly the same program). Once you have Anonymous Proxy installed on your Android, point it to the host of 127.0.0.1 and whatever port your proxy is running on. After enabling the proxy, all browser traffic will automatically be tunneled over your SSH connection.
Since we are limited to only using port 443, or tunneling over a proxy, lots of Internet enabled apps (including maps and the Android market) will still require use of Wi-Fi or an active 3G subscription with T-Mobile in order to function properly.
Although it may be possible to get these applications running over a tunnel, so I will leave it to my fellow readers to discover more.
Greets and thanks to: BeautifulPyre, ExVx, xDarkxAnarchyx, JohnnyLinux, Metaphorge, Tyrsalvia, Casual.Sadist, PCPPirate, Phone Losers Of America, and everyone at FreeGeek PDX.