hngopher.com

       [HN Gopher] Lockdown: Open Source firewall that blocks app track...
       ___________________________________________________________________
        
       Lockdown: Open Source firewall that blocks app tracking, ads,
       snooping and more
        
       Author : tilt
       Score  : 49 points
       Date   : 2020-02-13 21:14 UTC (1 hours ago)
        
 (HTM) web link (lockdownhq.com)
 (TXT) w3m dump (lockdownhq.com)
        
       | egdod wrote:
       | For an open source app distributed on the App Store, is there
       | actually any way of verifying that what you get on your phone is
       | the same as the source code you can read?
        
         | rectang wrote:
         | Checksum of a binary package against checksum of a reproducible
         | build?
        
         | offmycloud wrote:
         | If Apple keeps pushing their Bitcode LLVM IR trans-compiling,
         | along with magic App Store re-linking, they will kill the
         | possibility of reproducible builds forever. In Apple's world,
         | you are supposed to trust their app vetting process, not the
         | source code on some website.
        
       | kodablah wrote:
       | Is there anywhere with an in-depth overview of what this does?
       | Does it just fail DNS request and block known IPs? How are the
       | lists maintained and updated? With TLS and it surely not mitm-ing
       | connections, that's all it can do correct?
        
         | josteink wrote:
         | > With TLS and it surely not mitm-ing connections, that's all
         | it can do correct?
         | 
         | Unless it also acts as a web-proxy, yes.
        
           | winternett wrote:
           | It can possibly access all your activity, contacts,
           | microphone, and camera... Hard pass from me at the moment. :/
        
             | rectang wrote:
             | It's a start. It's good that it's open source, but that's
             | necessary not sufficient to establish trust for something
             | which requires such significant privileges.
             | 
             | You also want to be able to know who the authors are, to
             | evaluate them for trustworthiness, and to evaluate their
             | processes to see how well hardened they are against
             | malicious contributions.
        
           | jangoolie wrote:
           | it uses the `NetworkExtension` framework to intercept all
           | your communications and potentially modify them.
           | 
           | https://developer.apple.com/documentation/networkextension
        
         | ignoramous wrote:
         | The source indicates that they check-in DNS blocks-lists as
         | JSON files [0] and txt files (one of which has Facebook IPv4s)
         | [1]. So, the updates to those would require app updates, I
         | guess, unless there's OTA for the blocklists somewhere in the
         | code that I missed.
         | 
         | My experience with running client-side DNS based blockers are
         | they consume additional battery and need a lot of RAM if you
         | block with aggressive lists that have more than 1M+ domains.
         | Besides, DNS based blockers can be circumvented by apps that do
         | their own resolution over DoH or use clever techniques like
         | CNAME cloaking [2]. Some nameservers such as the one run by
         | Cloudflare flatten the CNAMES [3], effectively rendering even
         | nextdns' solution ineffective [4].
         | 
         | I must also note that, Cloudflare does hide origin-IP if they
         | are setup to reverse-proxy the traffic, which then would render
         | IP based blocklists ineffective, too, unless Cloudflare's IPs
         | are blocked, as well.
         | 
         | The folks who build the lockdownhq apps are also the makers of
         | https://confirmedvpn.com. I believe, u/willstrafach's
         | https://guardianapp.com (VPN and ad-blocking) and u/poitrus's
         | https://nextdns.io (no VPN), https://adguard.com are other
         | comparable alternatives on iOS.
         | 
         | Disclosure: I run a competing ad-blocking service.
         | 
         | ---
         | 
         | [0] https://github.com/confirmedcode/lockdown-
         | ios/tree/master/Lo...
         | 
         | [1] https://github.com/confirmedcode/lockdown-
         | ios/tree/master/Lo...
         | 
         | [2] https://trackingthetrackers.com/
         | 
         | [3] https://blog.cloudflare.com/introducing-cname-flattening-
         | rfc...
         | 
         | [4] https://medium.com/nextdns/cname-cloaking-the-dangerous-
         | disg...
        
       | mongro1 wrote:
       | So pihole then.
        
         | pfundstein wrote:
         | No.
        
       | Perizors wrote:
       | Seems to operate the same way adguard from mac/android does?
        
       | ropiwqefjnpoa wrote:
       | It's functions similar to other mobile ad-blockers in that it can
       | route all your phones traffic over a VPN tunnel it establishes.
       | 
       | But the ad-blocking vpn server is 127.0.0.1, so perhaps, like it
       | says all the blocking happens right on your phone.
       | 
       | This is what I've been waiting for if this works.
       | 
       | Still getting ads on instagram though.
        
       ___________________________________________________________________
       (page generated 2020-02-13 23:00 UTC)