> I'm always concerned with an app that routes all my traffic through a VPN.
Many of these use the VPN subsystem of Android, but are not actually VPNs -- that is, they aren't routing anything off of your device. Using the VPN subsystem is just a way to be able to filter network traffic without having to have rooted your device.
The only downside is that you can't use such an app and a real VPN at the same time.
> The software pretends to be a VPN client in order to get the network traffic and filter it.
This is why I stick with root firewalls -- I also use a VPN, and I don't think you can have your Android device use more than one VPN at a time (without rooting it).
> All of this can operate on device at the OS/IP stack layer.
I think, on Android, with root you could do a lot more and not have to use VPNs at all.
> That gives too much trust to the VPN operator.
Local VPN apps like NetGuard are open-source, btw. And server VPNs like ProtonVPN have no-logs policy. I'm curious, what other guarantees are you looking for?
There are a number of pseudo vpn like apps that give you similarish control over native apps just the same as an extension on a web browser that uses hostname blocklists.
Unfortunately this is a big part of trusting your VPN provider. It’s shocking how bad the situation is, especially it seems on those marketed via Android apps. [1]
> There's nothing to stop any VPN from scary levels of metadata collection, but Apple did close the door to one way of promoting or selling these services.
What I do now -though on Android- is using WireGuard as VPN to my home router which runs basically a Pi-Hole (and WireGuard).
The benefits:
1) I get a system-wide adblocker on top of uBlock Origin.
2) My mobile provider cannot perform DPI (Though its owned by same company as my cable company. YMMV, plus it will work when you roam internationally. Heck, I can perform DPI on it via my router.)
3) When on a public WiFi (e.g. railway station) all my data is encrypted.
4) When I switch networks it automatically swaps connection.
5) Far less performance hit and battery usage than traditional VPNs such as OpenVPN. Home router also barely uses any Watt.
Brilliant software, I can highly recommend. My only beef with it is that a full blown SDN such as ZeroTier is a lot easier to set up.
> In fact an app could say "don't worry we're only doing DNS" but actually be a VPN. That sounds dangerous to me?
I could be mistaken here, but I believe it's only dangerous if you're using an insecure connection (ie, http (no https) which is already dangerous). Or if you install a custom CA certificate--then the VPN could perform man in the middle attacks on your connection.
> Blokada uses the Private DNS feature of the phone to block ads
Oh, good, I had interpreted "Cloud filtering" as some sort of content blocking API. DNS makes sense.
> It should also be noted that you can use the VPNService in android to only set a DNS server to use, without actually sending any traffic through a VPN. Using the VPNService in this way is not going to be allowed with the new Developer Policy update. When used this way, the privacy issues aren't there--though there is the potential misunderstanding of end users who might think they are using a full VPN when in reality they aren't.
That's good if VPN apps aren't always actually implementing a VPN, and it likely eliminates the battery life issue, but the confusion is a problem as users can't tell the difference between an actual VPN and one that is only doing DNS stuff.
In fact an app could say "don't worry we're only doing DNS" but actually be a VPN. That sounds dangerous to me?
> if it doesn’t leak your Wi-Fi connection information.
I don't think I understand. I run my VPN at home on a raspberry pi. So all of my network traffic, at the end of the day, goes through my home ISP.
I've considered shelling out for a VPN service to shield my traffic from ISP snooping, but at the end of the day you can only hide so much from your ISP, and I'm hesitant to introduce another failure point to my network (my SO will only take so much downtime!).
I mostly use the VPN as a convenience to ad-block on all devices at the DNS level and access self-hosted services like my Jellyfin server even when I'm not at home. The security benefit is also nice when I'm away from home on any WiFi network other than my own -- you never know what's going on behind the scenes.
Overall I don't worry too much about ISP snooping. But I probably should.
> They are not a general purpose VPN service, and can't even be used as one.
I'm not sure what you mean by this, but this sounds like exactly what they are, with some functionality on top. It's what I use to VPN into my LAN from outside, and it's pretty general purpose from where I stand.
> The only regret with rdns is that it’s either using that, or a VPN—from how I understand it.
This is an unforunate limitation imposed by Android (for good reasons I must add). We're fixing up our network stack to shoulder in WireGuard; should land in a month or two. With that, one would be able to upstream connections to any WireGuard endpoint: https://github.com/celzero/rethink-app/issues/52
> rdns is an awesome app, I am unsure why it’s not more widespread
Thanks for your kind words. There may be other reasons, but the surprising one is (going from what we see on other forums and emails that we get), folks are reluctant to trust a security / privacy product that's made by Indians.
> It is literally the kind of data collection that people use VPNs to avoid!
I have a feeling that a majority of VPN app users use them with the intent of preventing a specific party from collecting that data (e.g. an employer or a government).
> And for actual privacy on untrusted networks, nothing beats a VPN, except possibly not using hostile networks.
Except that using a VPN then funnels _all_ of your traffic through a single server which is ideally placed to monitor your browsing activity. And, VPN providers tend to be quite hard to evaluate for their trustworthiness.
Nice. GuardianApp is very close to what I had in mind. Great landing page, btw!
> Have you already started on this concept?
Initial stages where we have looked at OSS projects to fork for a quick prototype, with our focus being exclusively on Android, and not just limited to VPN.
> Designing a reasonably secure and reliable mobile VPN has been a very difficult challenge to get right.
Thanks for the heads-up. From usability point-of-view, I've seen my share of VPNs mess up and sink hole all traffic. On one ocassion, an app simply refused to get past its loading-screen unless I turned off VPN.
> It would be great to chat further, if you have interest in working on this concept.
> What good is a VPN when multiple apps on your computer are phoning home?
The point of a VPN is that whenever an app phone home, they will do so through the VPN. Standard VPN configuration (which I supose the Mullvad client performs?) is to entirely disallow any traffic that doesn't go through the VPN
> It makes me wonder how safe VPNs are. I don't think they're safe at all seeing all this side traffic going out concurrently.
How do you mean? If you're worried about traffic outside of your VPN software locally on your machine you can put the VPN client in your router or get a dedicated VPN gateway.
Or are you referring to potential locally sourced personally identifiable data leaking over VPN to be sold by vendors? That one is tougher, other than don't have those services installed or run those OS:es.
Many of these use the VPN subsystem of Android, but are not actually VPNs -- that is, they aren't routing anything off of your device. Using the VPN subsystem is just a way to be able to filter network traffic without having to have rooted your device.
The only downside is that you can't use such an app and a real VPN at the same time.
reply