72 comments

[ 5.2 ms ] story [ 175 ms ] thread
I am interested to see the result. I might pay for a vpn that I control that blocked things.
I'm using Blockada for that, which acts as a vpn, but just filters all requests through a big hosts file.

https://blokada.org/

This looks interesting. Is there something similar for iOS?
I doubt. Play Store doesn't allow the full version of Blokada so you need to install it from F-Droid or directly from their web site.
After recommending Blokada to someone, I realized the version on the Play Store can only change your DNS. The full version is on F-Droid.
If you use an ad blocker in browser it does the same thing.

Native ad blocking only works when an app uses an obvious third party plugin for them. The native stuff all stays

Use Wireguard with DNS enabled and then run `unbound` on your server. You control the blacklist. No ads, etc. Works on all platforms.
WireGuard is nice, but unfortunately consumes battery very fast.
The kernel module version uses less, if you have a phone that supports it. The userspace version uses much less than ordinary VPNs -- because it doesn't send traffic when you're not using it -- but it's still Android userspace networking, which uses battery, unfortunately.
I haven't noticed a difference, really. Maybe it's just the new phone period where everything works well and it'll all go to hell later...
I'm seeing potential for VPN providers to bolt this reporting on as a regular service. Maybe this is already set up in things like Streisand? Honestly, more and more people need to have the ability to administer their phones this way - for too long, its been a black box.

(If we still had real OS vendors, it'd be handy if this were builtin to the OS, duh...)

> (If we still had real OS vendors, it'd be handy if this were builtin to the OS, duh...)

RedHat, Canonical, and Microsoft are not "real" OS vendors?

RedHat, Canonical and Microsoft make phones?
Ubuntu Touch & Windows Mobile (heh) are/were a thing though.
Ubuntu Touch never got off the ground, and Windows Mobile was a mess to try and load apps onto (having wasted waaaay too much time messing with that years ago).

On the topic of Ubuntu Phone, the reimplementation of Signal for it tried really hard to look exactly the same, except core features like calling and media were broken or had issues. https://github.com/janimo/textsecure-qml

Yeah, we all know these are dead in the water.

What I mean was, the old OS vendor ethos just doesn't exist any more - its no longer about giving the user the tools required to get the best value out of their computer, but rather give the computer the tools required to get the best value out of the user... RedHat/Canonical are real OS vendors. Microsoft is an also-ran ad-agency wannabe. Google: same. Apple: I give them a pass, but only because they seem to be taking privacy seriously - if only they'd give the user more control over what's going on with their devices, and stop doing things designed, clearly, to just sell more hardware ..

If they made phones would they still be "real" OS vendors, or just more Apple?

It's not that we lack OS vendors. There's no standard mobile platform like the PC has been for general purpose computing. No hardware vendors are shipping handsets conforming to an open standard supplying open NDA-free specs and/or drivers for OS vendors to target.

We have a number of OS vendors who would almost certainly support such hardware if it was being produced, were compelling, and affordable.

re: opening up Safari on the iPhone 'any website you have in your bookmarks can track that' I assume that's because it's checking/refreshing favicons? If that's all it is there's nothing nefarious about it but he sure is opaque in his statement.
Nothing nefarious about it except that simply requesting a favicon means you have made a request, so now that site knows where you are. There’s really no need to request the favicon unless there is an actual page requested from the site.
Favicons are used as status icons for a lot of things these days, and in a bunch of cases it makes sense to refresh it. GMail offers it with a counter of how many unread emails you have, and a lot of our internal tools offer it as a thumbnail view of the status of the most recent job run.
They aren't supposed to be used that way so it would also make sense (and be safer from spear fishing) to request them with no cookie state and call it a day.
Who says that? They're used beyond their initial idea of a purpose, and that's just fine.
what makes you say that they aren’t supposed to be used like that? i remember watching a short film in a favicon ten years ago.
Call me crazy, but I expect an icon to behave as an icon, and a film to behave as a film.
Alternately, really any visual screen space, including an icon, can be an acceptable target for innovation - its when the technology used opens avenues for other things to be done by unscrupulous or malicious actors that it becomes a problem.

People introducing new functionality need to be incentivized to focus on sand-boxing it in some way before we accept it as a web-standard tech. Barring that, limiting functionality is preferable. But business is business, so adequate measures are generally not taken, either out of cost-saving, or deliberately.

Also, these types of irresponsible practices now constitute an indispensable core of how large modern web-apps work. They exist in a moral gray area, where it can be argued that problematic practices are outweighed by their net benefit to user experience, and misuses of the technology can be blamed on malicious outside actors who have found a loophole. If you build a giant information weapon, you are also culpable for any of its misuses, no matter how unintended they might be.

I currently don't see a way of changing things without some kind of regulation, as problematic government interference can be. The incentives here are possibly too strong for the market to sort it out, at the current state of public awareness. Current efforts in the US seem to be focusing on pressuring companies to self-regulate, but they have still have little real incentive to do so.

Another complicating factor may be the rate in which innovation arises in the tech sector - most burgeoning industries spend some time in a regulatory wild-west, but as the issues become known, laws gradually catch up and a status-quo is reached. Now, its possible that by the time any technology has matured enough to have a widespread regulatory harness applied to it, another technology has already superseded it, and the regulatory void is renewed.

Your use of the word "target" scares me :)

As RawTruthHurts stated: "Call me crazy, but I expect an icon to behave as an icon.."

I too am one of those people that draw lines in the sand, and when these lines are crossed I make it my business to kick them out (adblockers, hosts file, VPN, firewall). I do this to keep my headspace intact, or with the minimum noise.

Market (aka profit) drives things, and it is a greedy monster with infinite appetite. There are many willing to "innovate" (flash ads were considered as innovation once)(so was medicine).

Since it is a cat-mouse/bigger mousetrap game, regulation will always be 10 steps behind, meanwhile we need to maintain our sanity and find ways to keep these distractions at bay.

My time is my time, I don't want to see a movie in an icon. Glad to know the technology is there (perhaps focus on curing cancer instead???), and not everything needs to be redefined, so that <insert-ad-company-name> can display more ads.

Technically dynamic favicons can be implemented using data: URLs, although obviously that requires JavaScript.

I use a custon hodgepodge of SVG, XMLSerializer, image elements, and canvas to do a lo-fi animation for a badge in the favicon. Works for desktop browsers (including IE11, although I haven't tested Safari. B2B web app so covers what we need). A few gotchas, but wasn't too hard.

See, offer people a little convenience they will give up a lot of personal data.
Owner of jailbroken & firewalled iPhone(s) for many years here.

"Safari" is the app that does the browsing.

"com.apple.Webkit.networking" is the app that works in the background doing things like the icons refresh. Some other applications also use this "channel" (app) to reach out, and I usually have it on "Deny all". I like it better when apps do their own connections and don't hijack the "backroards".

The only two reasons I jailbreak ALL my idevices(s):

a. Firewall IP

b. Protect My Privacy (PMP)

You literally have no idea what goes in the background when you install and run an app if you don't spy on your phone.

The disgusting part is that even my bank's (NatWest) app, as well as LastPass talk to irrelevant companies when I fire them up, with (my) most hated being Facebook (which is of course blacklisted and added on my hosts file).

For my Android devices I always run "NoRootFirewall" which is a pretty good firewall.

Edit: Both FirewallIP (iOS) and NoRootFirewall (Android) have logging mechanisms so you can track what goes in/out and what is rejected. I am really looking forward to a NoRootFirewall-app for iOS. Something that creates an internal VPN allowing you to manage it.

If you're already rooted, why not AFWall+? It hooks into iptables and has good (optional) logging.
It so happens that (ofc:) my androids are also rooted. I'll check it out.

Thank you

> LastPass talk to irrelevant companies

Please, do tell us more. Or write a post about it!

As requested:

https://pastebin.com/9g3B0rRB

Also on my deny list I seek the following which do not appear in the logs right now: segment.com, fiksu.com, youtube.com, redirector.gvt1.com

Other notes:

1) I never use the LastPass browser.

2) When a service has a "lastpass.com" AND amazon/cloudfront/azure, I prefer the "lastpass.com" over the alternatives/load balancers.

Edit: if you see, these are the logs for only 10 seconds. I know that there are multiple "Denied" since the poor thing keeps trying. It is amazing to see it on many other apps (e.g. games) that talk to apjust, appsflyer, doubleclick, duaps, feeldallapps, glispa, mobileapptracking, segment, startappservice, taprica, app-measuremenet, and HUNDREDS more.

You keep using Lastpass? If so, why?
I got it on all my devices, and I use both passowrd vault and secure notes. I just make sure it behaves as I want it to and doesn't tell facebook when do I use it.

A carefully managed firewall and an extensive hosts file is a must.

> It is amazing to see it on many other apps (e.g. games) that talk to...

The Business/Product side of the app business considers it really important to gather in-app usage information, and they like to use off-the-shelf third-party services to do it. Depending on the service, the SDK enabling use of the service is not necessarily well-behaved. This is to say nothing of SDKs for advertising.

As a developer, it grosses me out.

LastPass on firefox/linux is very chatty too, check wireshark or dnsmasq log
For those with Androids, it is totally worth to check NoRootFirewall: https://play.google.com/store/apps/details?id=app.greyshirts...

It is an eye opener to see how most apps behave (including the system apps).

I can only find NoRootFirewall via Google Store, which I don't use.

In F-Droid there appears to be AFWall+[1] and NetGuard[2].

Does anyone have a comparison of these two apps, compared to NoRootFirewall, or indeed others (Blokada mentioned in other threads)?

AFWall+ appears to required a rooted device for iptables, but NetGuard says no root is required.

[1] https://github.com/ukanth/afwall/wiki

[2] https://github.com/M66B/NetGuard/

Do you know if the iOS versions of Chrome or Firefox also ping bookmarked sites like this?
FirewallIP is what's kept me on jailbroken iOS since the 3GS, but the lack of updates (or responses from the developer) and annoyance of dealing with jailbreaking is pushing me towards Android where rooting is well supported and can be done while keeping the OS up to date.

The solution I've settling on has been AFWall+ to ensure that only a limited set of apps can talk at all, and Netguard to control where those apps can talk. The interface is not as elegant as FirewallIP, but it does allow an easier ability to interactively allow and block specific destinations without firing up a text editor.

Safari caches favicons, I believe, so it shouldn't be making a request for all of them every time it starts up.
The firewall logs in my iPhone suggest otherwise. They are cached. But if you are online it still reaches out (as a Bbeacon)(not for hope though).
Nice project. I considered doing something similar but in Android at least some apps use certificate pinning and thus mitmproxy would break them. How does this work in ios?
How does this work? If application has certificate pinning then MITM is not feasible, correct?

Would love if someone could enlighten me :)

Correct, he mentions some data will be unavailable to him, and mitmproxy mentions that certificate pinning is a problem.
You could use frida, it works on jailbroken and non jailbroken phones but is much more feature rich on jailbroken devices.

https://www.frida.re

This is really interesting! Have been doing something similar myself on my own phone (Android) for about a month using the wonderful NetGuard app ( https://f-droid.org/en/packages/eu.faircode.netguard/) which allows one to see the source and destination for each request from all apps.

It doesn't display the content type enough, afaik

NetGuard is amazing, really can't recommend it enough.

You can use it to specify which apps are allowed to use WiFi/data, and whether they're allowed to use all the time or only if screen is active. It also allows you to set a hosts file URL and update it with a single click. It has improved my battery life, I rarely see ads (both when using the browser and when using apps), and it force me to use old.reddit.com since reddit.com is blocked by my host file.

Default settings prevent posting to Imgur through their app. What other normal functionality does this break, and why?
imgur and reddit have become evil, so I wouldn't say it's surprising that their websites/apps stop working when you begin to block tracking and analytics. Both of these companies seem to go out of their way to break functionality for users that try to protect their privacy. I recommend you blame imgur rather than NetGuard.
Anyone know of a similar app for iPhone?
Don't think such an app would be accepted by Apple. Why are using iPhone if you want ownership over your device?
This is a naive response I see given to iPhone users when they ask about how to get a certain feature. It’s obvious no research was put into this answer as a sibling comment to yours clearly helped out by suggesting Charles proxy which is now available natively on iOS.
Well, ‘VPN’ apps that are really ad blockers or data loggers are not allowed on the App Store.
Why would you buy a phone with Google’s Android if you want to block data collection?
You can use Charles proxy to see all the traffic. There’s an iOS app but I highly recommend the desktop app. It helps for greater discovery.
Works for http/s only I believe.
Just tried it. It uses a VPN so you can't use it if you already use a VPN. :/
Without root there's no other way to route all traffic and android doesn't allow chained vpn's.

It's an excellent app, source code is on github, eventually ended up paying for it. There's far too many apps and system binaries dialing out, it's funny to watch in realtime. What's more amazing is how nothing breaks even when you lock down everything but the few things that need it. Blocking is fine grained and you'll have to scroll through a massive list if you choose to view system apps, but quite happy overall.

Main benefit of the paid option is pcap files. Free version does everything most will want. It's on fdroid.

If anyone came up with a list of domains, I'd gladly add them to my DNS server to block them. But I won't give up my VPN.:/
I run pihole on a Raspberry Pi3 at home and you'd be wowed at the amount of dialling home all devices so, and metrics. With a network of Apple iPad/Mac, Windows and Android devices, it's over 25% of all DNS requests that I block.

Useless once you take your phone off WiFi of course, but still baffling the amount of metric abuse going on, and entirely without warning (am within the EU so concerned by it!)

This, BTW, is IMHO why recent Android versions refuse to use self-installed certificates for all traffic: to prevent you from knowing what apps are sending back home. It's not in Google's interest for you to control your phone and know what it's doing.
Or it could be the reason they've said they did it - this was a primary vector for malware authors to compromise user's information and devices. Not everything is a conspiracy.
Then why not offer a confirmation box to add certificates, and let the user decide?
Probably because users will just follow instructions they found on some sketchy website without actually reading the text in the confirmation box.