Source code is not updated

[TimofeyK]

There were a couple of updates released in the AppStore but no code updates published here

[tomtastic]

https://github.com/confirmedcode/lockdown-ios/blob/6a77cb4cf9fb9320d7199022a90a29a9f396591d/LockdowniOS/AppDelegate.swift

    <key>CFBundleShortVersionString</key>
    <string>0.1.2</string>

Current App Store version :

[AppDelegate:248]: Confirmed VPN (iOS): v0.1.3

If you're going to advertise Lockdown-iOS as open source, don't make this a token public repo of old code, make it the master repo you compile out of.

[mikegchambers]

+1

[ghost]

+1

[mikegchambers]

I like this App, but...

TL/DR;

• Currently, the vendor says the software is open source. It is not. And it should be.
• This is a legitimate security concern.
• Currently, we have no way of knowing what libraries are being used, and many of these are open source (or similar) and have license requirements about how they should be disclosed. I have not found anywhere in the App where these are disclosed. - All this can be solved by publishing and maintaining the actual source code of the App.
• Please read the whole thing before following up :)

The version in the App store has yet again seen a bump that is not reflected in the version available on GitHub. This is not purely an annoyance, this is becoming a legitimate concern on at least the following two levels:

1) Being able to independently verify the code is an important security step given the nature of the application. If (and I make no claim that this is happening or would happen) the vendor was itself malicious or had a malicious actor working within them it would be possible to implant code in this application that could monitor all network traffic on the device the app is running. Clearly, the impact of this risk, if it were realized, would be catastrophic.

This is not an issue of 'trusting' the vendor, the authenticity of the code should be demonstrable. It's worth mentioning that if we 'trusted' everyone then some aspect of this app wouldn't be needed in the first place.

The vendor's privacy policy even says: "Everything Lockdown does stays on your phone, so no data is transmitted to any of our servers. This can be confirmed by checking the source code, which is 100% open and public for anyone to examine. " At least the second part of this statement is not true, as the source code for this current release is not available.

(If I understand correctly, @zhuhaow 's comment here: #19 asks why the code 'ships a precompiled NEKit framework in the source', and while no-one is suggesting that the vendor has implanted something they shouldn't have, the point is that we can't prove that they haven't.)

2) This App uses many software libraries with varying license agreements. Many, if not all, of these, have a requirement that the terms of the license be included somewhere by the vendor, and an argument could be made that the inclusion of such statements in the published source code is enough (although many might suggest otherwise). I am unable to see any mention of these licenses in the App UI itself, or the vendor's website.

Of course, is entirely possible that the currently published App does not use any of these libraries anymore and the vendor has re-written all the code themselves. It's also entirely possible that the currently published app uses new or additional libraries that we don't know about. Again the point here is that we don't know.

I'm in two minds about (at)ing all the good folks from all the libraries used. In the interest of less spam (for the moment) I have not done so.

[mikegchambers]

@rahulda1 : The more I read into this, the more I feel like these folks will do the right thing, eventually.

"The mission of Openly Operated is trust through transparency: to make online services as transparent as possible, in order to increase trust in the apps we all use. People shouldn't have to be in the dark about what's happening with their personal data, and companies should provide verifiable proof of the claims they make about protecting user security and privacy."

https://openlyoperated.org/about-us

[hijohnnylin]

Hello all! Sorry for the delays - we've been working around the clock to fix bugs and increase performance while also working on a major revision. All the latest commits have been pushed.

For future reference, you may see few days delay between production and GitHub while we do a phased rollout to be cautious about new bugs. Closing this now.

[tomtastic]

Still not happy with the transparency on this project, the code is still way behind the app released, so I have no confidence of what code is running or if anything malicious is happened with my traffic.

Code is at 0.1.4, App Store is currently at 0.1.6v3.

Can the developers explain why they aren't using GitHub as their master repository please?

[mikegchambers]

https://github.com/s-s/dnscloak

[tomtastic]

Thanks @mikegchambers, I'm uninstalling LockdowniOS until I see a satisfactory response here.

[ghost]

The developers said it’s because it’s hard for them to keep it up to date for the latest lol but yea I’m on v0.2.0 and still no changes

[ghost]

I just wanna say that from my finding I couldn’t find anything malicious in the lockdown app I’ve ran it through tools to check dns traffic and it all looks fine

[mikegchambers]

@silentshotghost - So firstly nobody is suggesting that there actually is malicious code in the app. But the point is that you have to take the vendors word for it. Unless you have some special off-Github access that we don’t, the only code you can check is the code here. And that is demonstrably not the code being distributed in the App Store.

Secondly the company themselves say that you shouldn’t need to implicitly ‘trust’ them and that they run ‘trust through transparency’. So by not publishing the code and keeping this repo synced, they are breaking the core principle that the project is founded on.

Having closed source software is fine. Just don’t say it’s open source.

And lastly, there is no way to know for sure, as the source is not published, but there is a possibility that they’re violating licence agreements with other open source projects that are used within the app.

All round this is not a good situation. :(

[hijohnnylin]

Hello again @mikegchambers! We appreciate your passion for our project. My bad for not continuing to follow this thread as it was closed-- we've been focused hardcore on the next version. The code is pushed now for 0.1.6 - We stated in the app store change log for 016 that we were reverting the changes from 014 and 015 due to compatibility issues, so the code is actually identical to 013, which has been public this whole time :) -- with the exception of the version and build.

To verify this, you can run the following diff against 0.1.3 commit:

johnnylin @ ~/Lockdown-Client - [master] $ git diff -U0 1717656ae6b50c8e3b889577b707a956b39db9f5
diff --git a/Lockdown Blocker/Info.plist b/Lockdown Blocker/Info.plist
index 09769ca..f24f44d 100644
--- a/Lockdown Blocker/Info.plist       
+++ b/Lockdown Blocker/Info.plist       
@@ -20 +20 @@
-       <string>0.1.3</string>
+       <string>0.1.6</string>
@@ -22 +22 @@
-       <string>3</string>
+       <string>1</string>
diff --git a/LockdownTunnel/Info.plist b/LockdownTunnel/Info.plist
index 25f7cfd..f7b2c25 100644
--- a/LockdownTunnel/Info.plist
+++ b/LockdownTunnel/Info.plist
@@ -20 +20 @@
-       <string>0.1.3</string>
+       <string>0.1.6</string>
@@ -22 +22 @@
-       <string>3</string>
+       <string>1</string>
diff --git a/LockdowniOS/Info.plist b/LockdowniOS/Info.plist
index 58503fe..352818e 100644
--- a/LockdowniOS/Info.plist
+++ b/LockdowniOS/Info.plist
@@ -20 +20 @@
-       <string>0.1.3</string>
+       <string>0.1.6</string>
@@ -37 +37 @@
-       <string>3</string>
+       <string>1</string>
diff --git a/Today/Info.plist b/Today/Info.plist
index 06e8afe..2346d60 100644
--- a/Today/Info.plist
+++ b/Today/Info.plist
@@ -20 +20 @@
-       <string>0.1.3</string>
+       <string>0.1.6</string>
@@ -22 +22 @@
-       <string>3</string>
+       <string>1</string>

Please let me know if this is still not satisfactory, and tag me @hijohnnylin when you're posting comments you feel are urgent enough that I need to see it immediately. Otherwise it's difficult/hard for me to context-switch from the work on new versions I'm currently doing. :)

Have a terrific day, Johnny

[tomtastic]

@hijohnnylin I’m not sure that you’ve grasped the underlying complaint here, which for me is that you aren’t developing here on Github, and so it’s unlikely the code will ever represent the live app version on the App Store, and neither will developers ever likely feel they want to contribute when your master repo is clearly kept elsewhere.

[hijohnnylin]

Good day @tomtastic, thank you for your tomtastic comment. I hope to learn from this discussion.

I believe the underlying concern is trust - but as far as I know, there isn't any way for a developer to prove the code on app store matches the code pushed to a public repository, because app store doesn't provide any type of public hash (if/when it does, we'll be the first to incorporate it!).

Fortunately with Lockdown (unlike with other apps), you can actually build and run the app on your own device straight from source. If you prioritize this level of trust, then you have the choice of not installing the app from the app store, and using the code published here instead.