Description of the Issue
There is an architectural security vulnerability regarding local inbound configuration. By default, NekoBox starts a local SOCKS5/HTTP proxy server on 127.0.0.1:2080 (or another assigned port) without any authentication (no username/password).
While "Apps VPN mode" split tunneling works for external traffic, the Android OS does not isolate the loopback interface (127.0.0.1) between different apps. As a result, any third-party application running on the phone (including potentially malicious apps, analytics scripts, or banking apps) can silently scan local ports, discover the unauthenticated SOCKS5 proxy, and route requests directly through it.
This entirely bypasses the Android system VPN controls, allowing any app to easily discover the real external IP address of the personal VPN endpoint server. This leads to targeted IP blockages by censors.
Furthermore, attempting to block this via internal routing rules (e.g., setting a src port: 2080 to Block / Reject) fails, as the inbound proxy appears to bypass the routing core completely.
Steps to Reproduce
- Start NekoBox with any active VLESS/Xray profile.
- Open Termux (or any other application that is NOT included/selected in the "Apps VPN mode" list).
- Execute the following command from the unselected app to request an external IP via the local loopback proxy:
curl --socks5 127.0.0.1:2080 https://ifconfig.me
- The command successfully executes and prints the real IP address of the VPN server, proving that any isolated app can abuse the local port.
Expected Behavior
Users should be able to either:
- Completely disable the local SOCKS5/HTTP inbound proxy server if they only use global TUN routing.
- Set a mandatory local username and password (authorization) for the SOCKS5/HTTP inbound proxy so that third-party apps cannot use it without credentials.
Environment
- App Version: Latest available release
- OS Version: Android 12
Description of the Issue
There is an architectural security vulnerability regarding local inbound configuration. By default, NekoBox starts a local SOCKS5/HTTP proxy server on
127.0.0.1:2080(or another assigned port) without any authentication (no username/password).While "Apps VPN mode" split tunneling works for external traffic, the Android OS does not isolate the loopback interface (
127.0.0.1) between different apps. As a result, any third-party application running on the phone (including potentially malicious apps, analytics scripts, or banking apps) can silently scan local ports, discover the unauthenticated SOCKS5 proxy, and route requests directly through it.This entirely bypasses the Android system VPN controls, allowing any app to easily discover the real external IP address of the personal VPN endpoint server. This leads to targeted IP blockages by censors.
Furthermore, attempting to block this via internal routing rules (e.g., setting a
src port: 2080toBlock/Reject) fails, as the inbound proxy appears to bypass the routing core completely.Steps to Reproduce
curl --socks5 127.0.0.1:2080 https://ifconfig.meExpected Behavior
Users should be able to either:
Environment