[HN Gopher] Lockdown: Open Source firewall that blocks app track... ___________________________________________________________________ Lockdown: Open Source firewall that blocks app tracking, ads, snooping and more Author : tilt Score : 49 points Date : 2020-02-13 21:14 UTC (1 hours ago) (HTM) web link (lockdownhq.com) (TXT) w3m dump (lockdownhq.com) | egdod wrote: | For an open source app distributed on the App Store, is there | actually any way of verifying that what you get on your phone is | the same as the source code you can read? | rectang wrote: | Checksum of a binary package against checksum of a reproducible | build? | offmycloud wrote: | If Apple keeps pushing their Bitcode LLVM IR trans-compiling, | along with magic App Store re-linking, they will kill the | possibility of reproducible builds forever. In Apple's world, | you are supposed to trust their app vetting process, not the | source code on some website. | kodablah wrote: | Is there anywhere with an in-depth overview of what this does? | Does it just fail DNS request and block known IPs? How are the | lists maintained and updated? With TLS and it surely not mitm-ing | connections, that's all it can do correct? | josteink wrote: | > With TLS and it surely not mitm-ing connections, that's all | it can do correct? | | Unless it also acts as a web-proxy, yes. | winternett wrote: | It can possibly access all your activity, contacts, | microphone, and camera... Hard pass from me at the moment. :/ | rectang wrote: | It's a start. It's good that it's open source, but that's | necessary not sufficient to establish trust for something | which requires such significant privileges. | | You also want to be able to know who the authors are, to | evaluate them for trustworthiness, and to evaluate their | processes to see how well hardened they are against | malicious contributions. | jangoolie wrote: | it uses the `NetworkExtension` framework to intercept all | your communications and potentially modify them. | | https://developer.apple.com/documentation/networkextension | ignoramous wrote: | The source indicates that they check-in DNS blocks-lists as | JSON files [0] and txt files (one of which has Facebook IPv4s) | [1]. So, the updates to those would require app updates, I | guess, unless there's OTA for the blocklists somewhere in the | code that I missed. | | My experience with running client-side DNS based blockers are | they consume additional battery and need a lot of RAM if you | block with aggressive lists that have more than 1M+ domains. | Besides, DNS based blockers can be circumvented by apps that do | their own resolution over DoH or use clever techniques like | CNAME cloaking [2]. Some nameservers such as the one run by | Cloudflare flatten the CNAMES [3], effectively rendering even | nextdns' solution ineffective [4]. | | I must also note that, Cloudflare does hide origin-IP if they | are setup to reverse-proxy the traffic, which then would render | IP based blocklists ineffective, too, unless Cloudflare's IPs | are blocked, as well. | | The folks who build the lockdownhq apps are also the makers of | https://confirmedvpn.com. I believe, u/willstrafach's | https://guardianapp.com (VPN and ad-blocking) and u/poitrus's | https://nextdns.io (no VPN), https://adguard.com are other | comparable alternatives on iOS. | | Disclosure: I run a competing ad-blocking service. | | --- | | [0] https://github.com/confirmedcode/lockdown- | ios/tree/master/Lo... | | [1] https://github.com/confirmedcode/lockdown- | ios/tree/master/Lo... | | [2] https://trackingthetrackers.com/ | | [3] https://blog.cloudflare.com/introducing-cname-flattening- | rfc... | | [4] https://medium.com/nextdns/cname-cloaking-the-dangerous- | disg... | mongro1 wrote: | So pihole then. | pfundstein wrote: | No. | Perizors wrote: | Seems to operate the same way adguard from mac/android does? | ropiwqefjnpoa wrote: | It's functions similar to other mobile ad-blockers in that it can | route all your phones traffic over a VPN tunnel it establishes. | | But the ad-blocking vpn server is 127.0.0.1, so perhaps, like it | says all the blocking happens right on your phone. | | This is what I've been waiting for if this works. | | Still getting ads on instagram though. ___________________________________________________________________ (page generated 2020-02-13 23:00 UTC)