Blokada and Privacy International

[ignoramous]

Hi there,

I see Privacy International has a guide up on Blokada. I did an informal review of its code and found that the developers aren't really transparent about how private the app is and what its actual capabilities are.

1. Blokada generates a unique-id per install and shares it with its servers on every interaction with its servers.
2. Blokada builds a custom user-agent string and shares it with its servers everytime the user visits its help pages, views the changelogs, checks for updates, downloads hostfile blocklists, for example.
3. Blokada redirects almost all of its traffic to its own servers via go.blokada.org through an analytics company, rebrandly.
4. Blokada leaks DNS connections over TCP.

For code refs, see this hacker-news comment: https://news.ycombinator.com/item?id=26310349

Given my findings, F-Droid has flagged Blokada for violating user's privacy: https://gitlab.com/fdroid/fdroiddata/-/merge_requests/8536

The Blokada admins were privately informed about these shortcomings on Telegram over a period of time, starting in December, 2020, and are aware of it.

This isn't a slight on Blokada, which is a commendable project given away for free and made open source, though there is a case to be made whether Blokada (version 4) plagiarized code from Julian Klode's DNS66 project. Lack of transparency has been a theme which is worrying, and add to the fact there's little distinction between Blokada, the non-profit, and Blokada, the for-profit, things get murkier.

In light of this, Privacy International might want to re-consider endorsing Blokada on its website.

Disclosure: I co-develop a similar app, and worked on Android Enterprise & Security team at Amazon Research for 5 years.

cc: @la-carvalho

[EBendinelli]

Hi there and thanks for this feedback, we really appreciate your input.

These are all valid concerns and we thank you for raising them. I can see from the GitLab issue that this seems to be an on-going discussion and that the Blokada team seams keep to tackle some of the identified issues (notably with version 5).

With that said, we agree that Blokada isn't the only option available and that it might not be the best. We settled on Blokada as it's one of the few free option for iOS users allowing us to do two birds one stone (we also considered NetGuard for Android). In order to offer diversity to our supporters, would you be willing to write a guide on how to install and use Rethink DNS to block ads? We would use the same tags and title as blokada so that website visitors would to be presented with multiple options.

[ignoramous]

I can see from the GitLab issue that this seems to be an on-going discussion and that the Blokada team seams keep to tackle some of the identified issues (notably with version 5).

The Blokada team's response is here: https://archive.is/U9FBb

The recent commits reveal that they are addressing some of the issues and only for F-Droid flavour. Not on iOS, not on any other Android builds. The server-side things they do aren't open-source, so it isn't possible to confirm for an outsider just how other reported issues were addressed.

We settled on Blokada as it's one of the few free option for iOS users allowing us to do two birds one stone

Makes sense, but Privacy International endorsing apps must be a higher bar than that, in my honest opinion. I'd again refer you to responses from F-Droid maintainers on the thread I linked to.

...would you be willing to write a guide on how to install and use Rethink DNS to block ads?

I can, but having RethinkDNS up on Privacy International's website isn't the reason for my report. RethinkDNS + Firewall is an anti-censorship and an anti-surveillance tool. Blocking ads is just one side-effect.

Thanks.