Add SOCKS5 password protection for local proxy interface (RFC 1929)

[Copilot]

Any app on the device can use the local SOCKS5 proxy (default port 1080) without authentication, enabling unauthorized traffic routing and potential VPN IP leakage. This adds optional RFC 1929 username/password authentication to the local SOCKS5 interface.

How it works

• User sets a SOCKS5 proxy password in global settings (empty = no auth, preserving existing behavior)
• ss-local is configured with a socks5_auth_config_path pointing to a generated auth config file (username: shadowsocks, password: user-configured)
• tun2socks receives --username/--password so VPN mode continues to work transparently
• Auth config file is written at service start and deleted at shutdown

Changes

• Constants.kt / DataStore.kt: socksPassword key and property backed by publicStore
• ProxyInstance.kt: Writes socks5_auth JSON config file and adds socks5_auth_config_path to the local SOCKS5 listener config when password is set; cleans up on shutdown
• VpnService.kt: Passes --username shadowsocks --password <pwd> to tun2socks when password is set
• pref_global.xml / pref_main.xml: EditTextPreference (password dialog) for the new setting
• GlobalSettingsPreferenceFragment.kt / MainPreferenceFragment.kt: Password preference disabled while service is running

Auth config format written to socks5_auth

{
  "password": {
    "users": [{ "user_name": "shadowsocks", "password": "<user-configured>" }]
  }
}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.foojay.io
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -Xmx64m -Xms64m -Dorg.gradle.appname=gradlew -classpath \"\" -jar /home/REDACTED/work/shadowsocks-android/shadowsocks-android/gradle/wrapper/gradle-wrapper.jar :core:compileDebugKotlin /main/java/com/g--norc /main/java/com/g--noprofile /main/java/com/github/shadowsocks/tv/App.kt rc/s�� /src/test/java/com/github/shadowsocks/plugin/PluginOptionsTest.kt /src/main/java/com/github/shadowsocks/plugin/Utils.kt /src/main/java/com/github/shadowsocks/plugin/AlertDialogFragment.kt /src/main/java/cgit /src/main/java/cls-files /src/main/java/c--exclude-standard /src/main/java/c--others (dns block)
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -Xmx64m -Xms64m -Dorg.gradle.appname=gradlew -classpath \"\" -jar /home/REDACTED/work/shadowsocks-android/shadowsocks-android/gradle/wrapper/gradle-wrapper.jar :core:compileDebugKotlin -Porg.gradle.java.installations.auto-provision=false om/github/shadowsocks/plugin/HelpCallback.kt om/github/shadowsocks/plugin/PluginContract.kt om/g�� om/github/shadowsocks/plugin/PluginOptions.kt om/github/shadowsocks/plugin/HelpActivity.kt /src/main/res/values-ru/strings.xml /src/main/res/vaiptables /src/main/res/va-w /src/main/res/va-t /src/main/res/vasecurity (dns block)
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -Xmx64m -Xms64m -Dorg.gradle.appname=gradlew -classpath \"\" -jar /home/REDACTED/work/shadowsocks-android/shadowsocks-android/gradle/wrapper/gradle-wrapper.jar :core:compileDebugKotlin --no-daemon -Dorg.gradle.java.home=/usr/lib/jvm/temurin-17-jdk-amd64 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[madeye]

Review

Adds optional RFC 1929 auth on the local SOCKS5 listener. I verified the integration points against the actual sources: shadowsocks-rust supports socks5_auth_config_path and the JSON shape matches (crates/shadowsocks-service/src/config.rs:1830, local/socks/config.rs:51), and the bundled badvpn tun2socks supports --username/--password and applies auth to both the TCP path and the UDP relay path (tun2socks.c:1185, SocksUdpGwClient.c:408). Referenced resources (preference_dialog_password, ic_settings_password) exist. The approach is sound, but there is one startup-breaking bug.

🔴 Critical: auth file path doesn't resolve — service fails to start when a password is set

The config gets a relative path: put("socks5_auth_config_path", "socks5_auth"). ss-local resolves it against its working directory, which is Core.deviceStorage.noBackupFilesDir (GuardedProcessPool.kt:54, i.e. /data/user_de/...). But the auth file is written next to configFile, and per BaseService.kt:244-245 the config root is app.noBackupFilesDir (/data/user/...) whenever the user is unlocked — the normal case on API ≥ 24. ss-local's Socks5AuthConfig::load_from_file error propagates with ?, so config loading fails and the process exits → crash loop / service start failure. The feature only works by accident in direct-boot mode, where the two directories coincide.

Fix: write the absolute path into the config: put("socks5_auth_config_path", authFile.absolutePath) (compute the file before building the JSON). This also keeps the auth file in credential-encrypted storage, which is strictly better for a secret.

🟡 Worth fixing

• Shared filename across instances. Both the main ProxyInstance and the udpFallback instance write the same socks5_auth file and both delete it in shutdown(). Content is identical so it works, but it's fragile — use a per-instance name like "${configFile.name}_auth".
• TV password field is plaintext. tv/pref_main.xml uses a plain EditTextPreference without a password dialog layout, so the password is shown in cleartext while typing (mobile's preference_dialog_password layout lives in the mobile module, so it would need a TV equivalent or moving the layout to core).
• configFile.parentFile ?: configFile.canonicalFile.parentFile — the fallback is dead code since configFile is always constructed with an absolute parent; simplify to configFile.parentFile.

🟢 Security notes (acceptable, but worth documenting)

• RFC 1929 sends credentials in cleartext. Combined with "Share over LAN" (listenAddress = 0.0.0.0), the password traverses the LAN unencrypted. Fine for the stated threat model (blocking other local apps), but the summary string could note it's not protection on untrusted networks.
• The password appears on tun2socks' command line. Other apps can't read it on modern Android (/proc is hidepid), so low risk; tun2socks also supports --password-file if you want defense in depth.
• The local DNS relay listener (portLocalDns) remains unauthenticated — other apps can still use it. Probably fine, but it slightly undercuts the "no unauthorized use" claim in the description.

Verdict

Request changes: the relative-path bug breaks service startup whenever a password is actually set on an unlocked device. The fix is a one-liner; the rest is polish.

[Copilot]

Review

Adds optional RFC 1929 auth on the local SOCKS5 listener. I verified the integration points against the actual sources: shadowsocks-rust supports socks5_auth_config_path and the JSON shap...

Fixed in a3c7f58:

• 🔴 Critical path bug: authFile is now computed before the JSON is built, and authFile.absolutePath is written into socks5_auth_config_path. The redundant ?: configFile.canonicalFile.parentFile fallback is also removed.
• 🟡 Per-instance filename: changed from the shared "socks5_auth" to "${configFile.name}_auth" (shadowsocks.conf_auth / shadowsocks-udp.conf_auth).
• 🟡 TV plaintext: added a Password modifier to EditTextPreferenceModifiers (in core) that sets inputType = TYPE_CLASS_TEXT | TYPE_TEXT_VARIATION_PASSWORD, and applied it to the socksPassword preference in MainPreferenceFragment.

[Mygod]

I prefer not exposing a local port by default as a better mitigation. Use a unix local socket for IPC instead.