Hacker News new | comments | show | ask | jobs | submitlogin
Lockdown: Open-source firewall that blocks app tracking, ads, snooping (lockdownhq.com)
254 points by tilt 5 months ago | hide | past | web | 77 comments | favorite

It's functions similar to other mobile ad-blockers in that it can route all your phones traffic over a VPN tunnel it establishes.

But the ad-blocking vpn server is, so perhaps, like it says all the blocking happens right on your phone.

This is what I've been waiting for if this works.

Still getting ads on instagram though.

On Android, DNS66 does exactly this, available on F-Droid. https://f-droid.org/en/packages/org.jak_linux.dns66/

Blokada seems to be very similar to DNS66, and is more actively maintained. Any reason to prefer DNS66?

Blokada doesn't DoH or DoT the last time I checked, but they have added a wireguard-based paid VPN service, which is nice.

Intra [0] can DoH (but no on-device custom blocklists) and Nebulo [1] can DoH and DoT (with on-device blocklists). Personally, I see better latencies with DoH.

Ref: https://news.ycombinator.com/item?id=21598413


[0] https://getintra.org + adguard-dns or nextdns

[1] https://play.google.com/store/apps/details?id=com.frostnerd.... + adguard-dns or nextdns or hostfiles

For those unfamiliar with the acronyms.

DoH = DNS over HTTPS

DoT = DNS over TLS

Very useful apps!

> Blokada seems to be very similar to DNS66, and is more actively maintained. Any reason to prefer DNS66?

No, I've never heard of blokada. Thanks for the tip.

The blokada in play store doesn't block ads. Get it from their store.

Also agressive power management from phone makers close them.

There is an aggressive stayalive option. :)

As does NetGuard, both on the Play store and F-Droid: https://www.netguard.me/

A paid upgrade to the Play store version lets you filter traffic like adblock, or just use the releases from Github (they allow filtering, but not most pro features)

I use and love Netguard. It's great to see the trackers every app is connecting to but can't see a global option to block a particular domain across the board. I can only block on a case by case app.. Maybe they added this option recently?

It's only in the github version due to play store rules. And it's a global DNS based blacklist.

I wish there was global or group based ip rules though, since there's no way to whitelist DNS per app or temporarily, without completely turning off filtering.

It's kind of a pain, honestly. Some of the developers decisions seem pretty arbitrary to me. It's so close to being a must have app. I wish I had time to get familiar with the code.

That said, it's still my favorite option since losing adhell3 again.

I've only seen across-the-board, though you can allow individual apps to bypass the filter entirely. I think it's just a filter on DNS requests, but for APKs from github:

    settings -> backup -> import hosts file
You may also need to enable traffic filtering, I forget. that's at:

    settings -> advanced -> Filter traffic + Block domain names
The github apks notify you about updates and link right to the download page, so they're pretty painless to use.

Do you have any tips on how to set up NetGuard well? I use an app now called "NoRoot Firewall" that lets me filter on ip address or url and also port, with wildcards. (Ex. *.facebook.com). I cannot find a way to set up NetGuard since it appears to me that I can only decide on each request, which makes it near impossible to ever whitelist/blacklist something like AWS, which uses an ever rotating number of locations.

Nrf hasn't been updated in a very long time, but as you say you can whitelist/blacklist pretty easily. Sadly, netguard doesn't have this facility as a global, and only allows it to be done on a clunky, per-app basis. I seem to recall the author not being receptive to the idea.

Just knowing how to allow "*.facebook.com" for Whatsapp would be a godsend

Everyone should fire up https://mitmproxy.org/ from time to time just to see how much chatty your mobile apps can be, phoning home to places like analytics services on every tap and swipe. I was using a translation app on my phone that sent every keystroke to google analytics.

Of course also fun in its own right to see the sorts of APIs an app uses and how often the developers like to query it.

It was sending every keystroke in the app, or every keystroke in the entire phone?

Just the app. I think it's just a testament to how normal and easy tracking/info-collection has become that there's no real downside to doing it everywhere nor pressure to really stop, think, and care.

That you have to go through the trouble of mitm'ing yourself to see this stuff is also the flip side of HN's native app fetishization and knee-jerk web hate.

On iOS I use DNSCloak. It takes some work to setup, like downloading the blocklist from somewhere yourself, but it works. I will try lockdown to see how it compares though. It looks easier.

DNSCloak and Lockdown cannot be enabled at the same time. When I tried it quite sometime ago, it was one or the other, which is a bummer if you want to use Lockdown while also choosing specific DNS servers to use. I’m guessing this is due to a limitation imposed by iOS, but have no idea how it can be solved.

It probably can't, seeing as both use a local VPN server to implement what they do.

You could always manually enter your DNS servers in your iPhone's settings.

> You could always manually enter your DNS servers in your iPhone's settings.

Can you do this for mobile connections? From what I've been able to see, you have to set DNS settings on a per SSID basis, and that particular menu doesn't exist when connected to the cell network instead of wifi.

I have an old version of adblock for ios that can block (and even break) apple services. Just what I wanted.

Apple forced the developer to "upgrade" it to use DNS based blocking and provide no lists of adservers, which pretty much let everything back through.

> It's functions similar to other mobile ad-blockers in that it can route all your phones traffic over a VPN tunnel it establishes.

"Can", not "does". The App Store page for it (for both Mac and iOS versions) says

> Optional VPN for additional privacy

LOL! Additional!!

> Still getting ads on instagram though.

I haven't checked myself, but I read that it's likely because Instagram may use the same domain to serve ads as its regular content. So, if you block Instagram's domain, you will block Instagram itself.

Is there anywhere with an in-depth overview of what this does? Does it just fail DNS request and block known IPs? How are the lists maintained and updated? With TLS and it surely not mitm-ing connections, that's all it can do correct?

> With TLS and it surely not mitm-ing connections, that's all it can do correct?

Unless it also acts as a web-proxy, yes.

it uses the `NetworkExtension` framework to intercept all your communications and potentially modify them.


It can possibly access all your activity, contacts, microphone, and camera... Hard pass from me at the moment. :/

It's a start. It's good that it's open source, but that's necessary not sufficient to establish trust for something which requires such significant privileges.

You also want to be able to know who the authors are, to evaluate them for trustworthiness, and to evaluate their processes to see how well hardened they are against malicious contributions.

> It can possibly access all your activity, contacts, microphone, and camera... Hard pass from me at the moment. :/

Camera and mic? How does it do this as a vpn? I see no requests for such things in iOS settings for the app.

It's an app you install on your phone. That app can use any service on the device if system permissions allow it, also, tracking and libraries or spyware can be embedded in the app itself which could potentially circumvent device security.

The source indicates that they check-in DNS blocklists as JSON files [0] and txt files (one of which has Facebook IPv4s) [1]. So, the updates to those would require app updates, I guess, unless there's OTA for the blocklists somewhere in the code that I missed.

My experience with running client-side DNS based blockers are they consume additional battery and need a lot of RAM if you block with aggressive lists that have more than 1M+ domains. Besides, DNS based blockers can be circumvented by apps that do their own resolution over DoH or use clever techniques like CNAME cloaking [2]. Some nameservers such as the one run by Cloudflare flatten the CNAMES [3], effectively rendering even nextdns' solution ineffective [4].

I must also note that, Cloudflare does hide origin-IP if they are setup to reverse-proxy the traffic, which then would render IP based blocklists ineffective, too, unless Cloudflare's IPs are blocked, as well.

The folks who build the lockdownhq apps are also the makers of https://confirmedvpn.com.

u/willstrafach's https://guardianapp.com (VPN and ad-blocking), u/poitrus's https://nextdns.io (no VPN but imo the best DNS based content-blocker in the market today), and https://adguard.com (cross platform all-in-one network security suite) are other comparable alternatives.

Disclosure: I run a competing ad-blocking service.


[0] https://github.com/confirmedcode/lockdown-ios/tree/master/Lo...

[1] https://github.com/confirmedcode/lockdown-ios/tree/master/Lo...

[2] https://trackingthetrackers.com/

[3] https://blog.cloudflare.com/introducing-cname-flattening-rfc...

[4] https://medium.com/nextdns/cname-cloaking-the-dangerous-disg...

> "The folks who build the lockdownhq apps are also the makers of ...[a bunch of other iOS apps]."

are you saying the same group of subcontractors built them all? or that it's the same app repackaged multiple times? or something else?

i use adguard on iOS and while i don't like the first-party exposure (to adguard itself), it's better than being completely naked in public to all sorts of shady actors (including telecom/wireless providers). or is it?

> are you saying the same group of subcontractors built them all?

No. Sorry, I meant that the creators of lockdownhq also built confirmedvpn.

> or something else?

Yes. Alternatives.

Well, what’s your service?

This application is not using either of those APIs (Content Filter or DNS Proxy).

> Content filter providers are only supported on supervised iOS devices.

> DNS proxy providers are only supported on supervised iOS devices.

It's "open source", but there's only been 5 commits since August last year? Where do the updates to blocking rules etc come from?

Also, the homepage states "Over 1 Billion Trackers Blocked", but that really feels misleading.

I'd say Guardian Firewall is a much better choice: https://twitter.com/guardianiosapp

$10/month is a lot for a firewall.

Important to note, our app is a VPN as well. This way, with the bulk of our business logic on the server-side, device battery is saved and we can do real-time block list updates rather than the app needing to pull down a new rule set.

The $1/day / $10/month / $100/year has been fairly well received, but may not be for everyone, especially those who enjoy running their own VPN server and/or curating their own block lists.

> The $1/day / $10/month / $100/year has been fairly well received,

...in countries where $100 a year isn’t a lot for one subscription.

> but may not be for everyone, especially those who enjoy running their own VPN server and/or curating their own block lists.

...and also not for those in countries where $100 a year is a whole lot of money for one subscription.

If you use a pay-as-you-go network like Google Fi, and it saves you more than 1 GB, then it saves you money.

$10 for 1GB?!

$10/GB is pretty much the going rate for a la carte data on all major US carriers. You typically get better rates for your monthly plan but if you go over you're flipped back to the a la carte pricing.

Eesh. My monthly plan in the UK is about $10 (£7), for 2GB, unlimited texts, 500 calls.

I suppose an Indian commenter would 'Eesh' at that too though!

I hardly use my iphone and it has blocked 552 today. It shows you the log. Also, the mobile web seems faster now (for some sites).

23K+ blocked since 1/16/2020.

I don't use too many apps, but I see it also blocked app telemetry/trackers (e.g., kochava.com stuff)

It's the language I think is misleading - there aren't 1bn trackers out there to be blocked. I suppose it means there's been 1bn blocks happened.

On macOS, we got a port of OpenBSD pf (probably not up to date though). I've been able to convert hosts files to OpenBSD pf format in, when was it, 2002? What you'd need to do is create an anchor. Perhaps there's a GUI for it as well for those who prefer. There's at least pfBlockerNG which basically does that for PfSense. [1] FWIW, all of this existed before Pi-Hole (or Raspberry Pi for that matter). IIRC there was also a converter script for hosts files to IPTables rules.

Is it possible to import such rules to Little Snitch? That's the go to firewall on macOS, though it is proprietary. There's also LuLu, a FOSS firewall for macOS. [2]

Now, from my memory, these block lists did cost quite some memory on a machine with 512 MB RAM. Even though it'd do dedup. What one could also do is build up a VPN with a remote server (in the cloud, or at home) and use say use WireGuard to have a secure connection while using a remote DNS on the VPN to get ads blocked.

[1] https://www.linuxincluded.com/block-ads-malvertising-on-pfse...

[2] https://github.com/objective-see/LuLu

On the product page[1] of little snitch you‘ll find a mention of a „blocklist“ feature.

[1] https://www.obdev.at/en/products/littlesnitch/index.html

Sweet, it was added in 4.1. Thanks for the heads up!

I found this list (by Peter Lowe) for Little Snitch [1]. There's also a shell script to convert to Little Snitch rules [2]

[1] https://pgl.yoyo.org/adservers/serverlist.php?hostformat=lit...

[2] https://gist.github.com/SethCalkins/1ac3bee593b37067b489cd6e...

As a pihole user for years I recently bought a firewalla blue. Installed pihole on the firewalla, turned off firewalla ad blocking, and done.

I can VPN to my home ad blocking network from anywhere, have more insights into my home network shenanigans, and still use my personal block list built over years. Super easy and most importantly, done.

I'm not sure I get it? Why not run OpenVPN on your pihole's RPi, forward the port on your router, bingo-bango-bongo?? What extra are you getting with the firewalla? Is it 'just' ease of administration (which is probably worth the price!)?

Did you research if the Pi could be setup with additional software (apart from pi-hole) to handle all that (or most of what) the Firewalla provides? Seems like that’d be a lot cheaper if one doesn’t need very high network performance.

Seems to operate the same way adguard from mac/android does?

For an open source app distributed on the App Store, is there actually any way of verifying that what you get on your phone is the same as the source code you can read?

If Apple keeps pushing their Bitcode LLVM IR trans-compiling, along with magic App Store re-linking, they will kill the possibility of reproducible builds forever. In Apple's world, you are supposed to trust their app vetting process, not the source code on some website.

Checksum of a binary package against checksum of a reproducible build?

How do you run a checksum of a binary you download to your phone?

I gave this a try on macOS, but I still see all the ads I'm used to.

It looks like the block lists are really short (https://github.com/confirmedcode/Lockdown-Mac/tree/master/Bl...).

The unfortunate truth is, Apple does not allow us to use a firewall on iOS.

This is a DNS-sinkhole, which can be easily circumvented by apps (for example by using hard coded IPs.)

I would say it's rather dishonest to state your app is a Firewall on the front page, when in fact it is not.

I use Firefox Focus and this looks similar for mobile (though they add MacOS too). Has anyone evaluated the difference?

Firefox Focus does not block ads the same was as Lockdown does. Lockdown uses the [Packet Tunnel Provider](https://developer.apple.com/documentation/networkextension/p...) API which has the added benefit of "protecting" the entire device (not just your browser).

So pihole then.

This is at the device level as opposed to network level of pihole.

Wish I could use this AND Warp. iPhone doesn’t seem to be able to do both.

That was my observation too. They’re both classified as the same class of “VPN” services. So you’d have to choose one or the other. Other VPN apps and services, such as ProtonVPN and Guardian Firewall, can be enabled while using or DNSCloak.

Block this! For Android. https://block-this.com/

Unfortunately, the Mac version requires 10.15 (Catalina) or later. I won't be touching that for quite sometime to come.

I did a test of this. uBlock Origin blocked all the calls before it made it to the firewall. IMO why would you use anything else.

There is no uBlock Origin for iOS, and never will be because of Apple’s list based content blocking mechanism where the blocker doesn’t intercept and process requests. It just provides the block list to Safari, which is also the only rendering engine (that can be) used by every browser on iOS.


Does Apple ban apps that interfere with other apps?

Or is it Google that does that?

Headline might want to note IT'S MAC ONLY

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact