Sync Android notifications encrypted using TLS to a Linux desktop over WiFi, Mobile data or Bluetooth.
This is the server part of AN2Linux which will run on your computer.
The Android app can be found here: https://github.com/rootkiwi/an2linuxclient/
I'm using archlinux but I've added here what I think to be the package names for debian/ubuntu as well.
- python (3.4+)
Arch: python
Debian / Ubuntu: python3
- libnotify
Arch: libnotify
Debian / Ubuntu: libnotify4 gir1.2-notify-0.7 gir1.2-gdkpixbuf-2.0
- python-gobject
Arch: python-gobject
Debian / Ubuntu: python3-gi
- openssl (1.0.1+)
- BlueZ dev files
Arch: bluez-libs
Debian / Ubuntu: libbluetooth-dev
- PyBluez with normal package manager
Arch: python-pybluez
Debian / Ubuntu: python3-bluez
- PyBluez or with pip
Arch: python-pip
Debian / Ubuntu: python3-pip
pip3 install pybluez
First time just run an2linuxserver.py
and follow the instructions.
AN2Linux uses TLS for encryption with both client and server authentication. That means that the client (android) and the server (your computer) need to exchange certificates first.
To initiate pairing you must have an2linuxserver.py
running and then in the
android app press initiate pairing when in the process of adding a new server.
First you need to pair your phone and computer with each other (the normal bluetooth pairing), and then do the certificate exchange as explained above.
Why use TLS over bluetooth when bluetooth is already encrypted?
Well, firstly, because I wanted to try :)
And secondly, from the little I've read about bluetooth it seems that the encryption key size negotiated can be very small.
I'm using archlinux so I'm going to tell you how it works for me, I have no idea how it works on other distros. It may work out of the box or it may not, just try it.
This is the error I get without the fixes below:
bluetooth.btcommon.BluetoothError: (13, 'Permission denied')
So, if you're not using archlinux but still are using systemd and get an error like that maybe you should try something similar.
systemctl edit bluetooth.service
[Service]
ExecStart=
ExecStart=/usr/lib/bluetooth/bluetoothd -C
ExecStartPost=/bin/chmod 662 /var/run/sdp
systemctl daemon-reload
systemctl restart bluetooth.service
More info about this problem: https://bbs.archlinux.org/viewtopic.php?id=201672.
First time when running an2linuxserver.py
it will create the directory:
$XDG_CONFIG_HOME/an2linux/
.
If $XDG_CONFIG_HOME
is not set it defaults to: $HOME/.config/an2linux/
.
In this config directory a few files will be created.
A default config file named config
will be created with the settings:
tcp_server
[on/off] default: ontcp_port
[0-65535] default: 46352bluetooth_server
[on/off] default: offbluetooth_support_kitkat
[on/off] default: offnotification_timeout
[integer] default: 5list_size_duplicates
[0-50] default: 0ignore_duplicates_list_for_titles
[comma-separated list] default: AN2Linux, titlekeywords_to_ignore
[comma-separated list] default: ''
Open that config file for more detailed info about every setting.
AN2Linux will generate a 4096 bit RSA key rsakey.pem
and a self-signed certificate certificate.pem
.
Just delete those and restart AN2Linux if you want to generate a new key and certificate.
After a successful certificate exchange AN2linux will create a file named
authorized_certs
.
Every line in that file will represent a trused certificate.
It will be in the format SHA256:<certificate_fingerprint> <trused_certificate>
.
That first part SHA256...
is not used by AN2linux at all, it's just
added as a convenience to the user to help distinguish between multiple certificates.
If the setting bluetooth_support_kitkat
is turned on
AN2linux will also generate a file named dhparam.pem
.
That is because SSLEngine does not support any ECDHE cipher suites until from API 20+ (Android 5.0+).
a popular easy-to-use firewall for Linux is Uncomplicated Firewall (ufw)
- install it:
- on Arch: $
sudo pacman -S ufw
- on Debian/Ubuntu: $
sudo apt-get install ufw
- on Arch: $
- start and enable ufw’s systemd unit:
- $
sudo systemctl start ufw; sudo systemctl enable ufw
- $
- set your mobile device's LAN ip to a static ip
- in the WiFi settings, long press the network you're connected to and tap "modify network"
- if authentication is required (it should) and you're authenticated already leave the password feild empty
- (Google it for the rest of steps, which depend on your region/router for the Gateway address)
- allow traffic limited to one port, from your mobile device's LAN static ip
- $
sudo ufw allow from <your-mobile-device's-LAN-static-ip> to any port <your-config-port>
- $
GNU General Public License 3, with the additional special exception to link portions of this program with the OpenSSL library.
See LICENSE for more details.