Android is a powerful operating system. To fully utilize it’s capabilities, a specific set of tools are required. Termux is a terminal emulator application enhanced with a large set of command line utilities ported to Android 1. It will be used to install a server for remote access (sshd) and for serving a static website (httpd). These will be exposed to the internet using Tor.

The Terminal

A terminal emulator provides an interface to the system using text commands. A core set of utilites are provided by default, and more can be installed and upgraded with pkg - the Termux package manager 2.

Refer to the official documentation to learn more about Termux: https://wiki.termux.dev/wiki/Main_Page.

Installation

The official source for installation is F-Droid, although builds are published on Github as well 3. Google PlayStore is not recommended. Do not mix applications between sources. Applications are installed by downloading and opening the Android Package Kit (APK) file.

To install applications from APK files, “Install from Unknown Sources” must be temporarily enabled in Settings for the file manager. For security, disable it once installation is completed.

The following applications need to be installed:

F-Droid does not need to be downloded; search for the “Download APK” link under the latest version.

termux is the main application. termux-api exposes device functionality like vibrate, clipboard, torch and fingerprint 4. termux-boot allows Termux to automatically start after device is restarted 5.

Servers

sshd

Remote acceses via Secure SHell (ssh).

Install and start sshd:

pkg install openssh
sshd

To use ssh, the hostname of the server and a username/password combination is required. Run whoami to determine the username (typically in the format u0_aXXX), and set the password with passwd.

While it is not strictly necessary, the local IP address of the phone can be used to test the connection. The local IP address can be found under WiFi settings by expanding the currently connected network. Run ssh from a different machine on the same network:

ssh -p 8022 u0_aXXX@192.168.0.1

The password will be prompted when connecting. This is not very secure since attackers could try and guess the username/password. To increase security, switch to key-based authentication by generating a key with ssh-keygen on the machine you will be connecting to the phone from:

ssh-keygen -t rsa
Enter file in which to save the key (/home/username/.ssh/id_rsa): /home/username/.ssh/keyname
Enter passphrase for "key-filename" (empty for no passphrase):

This will create two files under /home/username/.ssh:

  • keyname: a passphrase protected private key
  • keyname.pub: a public key

The public key’s content must be copied to the file /data/data/com.termux/files/home/.ssh/known_hosts. This can be done using USB, by copying the text to clipboard and pasting it over ssh, or by using ssh-copy-id:

ssh-copy-id -p 8022 -i /home/username/.ssh/keyname.pub u0_aXXX@192.168.0.1

The private key can now be used to connect to the phone without a password:

ssh -p 8022 -i /home/username/.ssh/keyname u0_aXXX@192.168.0.1

Once the key-based authentication has been tested, disable password authentication by editing /data/data/com.termux/files/usr/etc/ssh/sshd_config and setting PasswordAuthentication no. Restart sshd for the changes to take effect:

pkill sshd
sshd

Try connecting from a different machine without the key; this should now fail:

ssh -o PasswordAuthentication=yes \
    -o PreferredAuthentications=keyboard-interactive,password \
    -o PubkeyAuthentication=no \
    u0_aXXX@192.168.0.1

Keep the private key at /home/username/.ssh/keyname secure - you cannot login remotely without it if “PasswordAuthentication” is disabled.

httpd

Web server to host a website.

Install httpd:

pkg install apache2

Edit /data/data/com.termux/files/usr/etc/apache2/httpd.conf:

# Set server hostname and path to executables
ServerName 127.0.0.1
ServerRoot "/data/data/com.termux/files/usr"

# Set port which server accepts connections over
Listen 8080

# Set directory from which Apache will serve files
DocumentRoot "/data/data/com.termux/files/home/folderToServe"

# Set the file to save errors to
ErrorLog "/data/data/com.termux/files/home/httpd.log"

# Handle concurrent connections with Worker Multi-Processing Module
LoadModule mpm_worker_module libexec/apache2/mod_mpm_worker.so
# Maps file extensions to content types
LoadModule mime_module libexec/apache2/mod_mime.so
# Ensures proper privilege handling on Unix systems
LoadModule unixd_module libexec/apache2/mod_unixd.so

# Set default webpage to return when client connects to the server
LoadModule dir_module libexec/apache2/mod_dir.so
DirectoryIndex index.html

# Prevent arbitrary file requests (lock down filesystem)
LoadModule authz_core_module libexec/apache2/mod_authz_core.so
<Directory "/">
    Require all denied
</Directory>

# Allow access only from local connections (127.0.0.1)
LoadModule authz_host_module libexec/apache2/mod_authz_host.so
<Directory "/data/data/com.termux/files/home/folderToServe">
	Require local
</Directory>

Replace folderToServer with the path your website is saved at. Modules are available for more functionality - refer to the Apache http server documentation: https://httpd.apache.org/docs/current/mod/.

A folder from a different machine can be copied to the phone over ssh using rsync (without the --dry-run flag):

rsync -havP --checksum --delete --dry-run \
    -e 'ssh -i /home/username/.ssh/keyname'
    /local/path/to/folder/in/machine \
    u0_aXXX@192.168.0.1:/data/data/com.termux/files/home/folderToServe

Test to ensure the server starts without errors by running httpd. If the command doesn’t fail due to invalid configuration, errors will be logged to the file specified above by ErrorLog. The files under DocumentRoot should now be served - visit 127.0.0.1:8080 on the phone’s browser.

Tor

The proxy to the Internet.

To access a server over the internet, the server needs a public IP address. A Virtual Private Server (VPS) is a publicly accessible machine hosted by a cloud provider. Since the phone itself does not have a public IP address, it must use a reverse proxy like frp or nginx running on a VPS to be accessible on the internet. An alternative is to use the Tor network.

The Tor network is a group of volunteer-operated servers 6. It uses a special protocol for privacy and anonymity. A Tor service can be set up to make the local services accessible to the internet.

A Tor service address is different from public domains; this is the link for the Tor Project homepage:

http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/

It can be accessed using the Tor Browser, and will not work with browsers that do not route traffic through the Tor network.

To setup the Tor service, edit tor run config /data/data/com.termux/files/usr/etc/tor/torrc and append:

# Service for sshd
HiddenServiceDir /data/data/com.termux/files/home/.tor/ssh/
HiddenServicePort 22 127.0.0.1:8022

# Service for httpd
HiddenServiceDir /data/data/com.termux/files/home/.tor/webserver/
HiddenServicePort 80 127.0.0.1:8080

HiddenServiceDir defines where the identity files for the service must be stored. HiddenServicePort maps a virtual port to a local port. Clients will target the virtual port (22 or 80) and tor will forward this traffic to the specified local port (8022 or 8080).

Execute tor and get the hostame of the service:

tor
cat /data/data/com.termux/files/home/.tor/ssh/hostname

Use torsocks to proxy ssh connections:

torsocks ssh -p 22 -i /home/username/.ssh/keyname.pub \
    u0_aXXX@abcde23456abcde23456abcde23456abcde23456abcde23456abcdef.onion

Use the Tor Browser to visit the website. The services hosted on Android with Termux can now be accessed from anywhere in the world with an internet connection and Tor.

Autorun on boot

Keeping the services alive.

When the phone is rebooted, the services will stop. To automatically start up, the service must be enabled and Termux must be started on boot.

Enable services

Services run in the background and restart when certain conditions are triggered.

Install the service manager:

pkg install termux-services

Start the services and enable it to autostart when Termux starts.

sv-up sshd
sv-up tor
sv-enable sshd
sv-enable tor

The number of services supported is limited; refer to the documentation to learn more: https://wiki.termux.dev/wiki/Termux-services.

Start Termux on boot

Create the directory for boot scripts:

mkdir -p /data/data/com.termux/files/home/.termux/boot

Create a file (nvim start-services) under the boot directory:

#!/data/data/com.termux/files/usr/bin/sh
termux-wake-lock
. $PREFIX/etc/profile

termux-wake-lock stops Android from going into deep sleep - this prevents Android’s aggressive power management from suspending background processes. The second line sources /data/data/com.termux/files/usr/etc/profile - this configures the environment.

  1. https://wiki.termux.dev/wiki/Getting_started ↩︎

  2. https://wiki.termux.dev/wiki/Package_Management ↩︎

  3. https://wiki.termux.dev/wiki/Main_Page#Installation ↩︎

  4. https://wiki.termux.dev/wiki/Termux:API ↩︎

  5. https://wiki.termux.dev/wiki/Termux:Boot ↩︎

  6. https://support.torproject.org/about-tor/how-tor-works/overview ↩︎