One of the reasons for mobile apps is that adblocking is disabled. Explains why Reddit promotes it so much.
Similarly, wrapping websites like Discord or Slack in Electron also gives the website owners full telemetry and tracking that they can't get in a tech savvy browser.
Would an always on VPN, a remote pihole be the only way for privacy?
It must be very disheartening to work on reddit's mobile site. Not only is it deliberately made a miserable experience by forcing you through AMP via Google and insisting you "continue in browser" every time, but then you're greeted with a banner that outright says "this page is better in the app".
I wonder how long they'll keep the API live with so few restrictions and fees. Twitter makes huge amounts of money from selling the kind of data that PushShift gives away for free from Reddit.
Say what you want about the implementation but the new design is definitely better for watching memes. And I wouldn’t be surprised if the design doc simply said “focus on memes”
Agreed. I don't mind the new layout but it is still amazing that after years of this new layout that at least once a week I go to reddit and it can't load comments. I'm not a developer so maybe there is a valid reason but as a user it just seems ridiculous that the site can't do its main function reliably.
I found NextDNS to be relatively convenient and easy to set up even for a lay audience. Definitely easier than a PiHole or a custom `dnsmasq` setup, and it offers mobile configuration client apps.
What I do not know is if it will work also when apps begin using DNS over HTTPS… I suppose not?
NextDNS offers a DoH endpoint and is a selectable TRR in Firefox. Unfortunately that doesn't help with apps doing DoH to bypass DNS blocking. The current state of the Internet / computing is a bit problematic, but there are ways forward.
What I do and recommend everyone to do is:
1. Run an edge network device using network access controls and filter which devices on your network get outbound network access (in my case just the gateway device). Block all inbound traffic except what you choose to pinhole, block all outbound traffic except ports you choose to add to the allow list.
2. On every client device run a local application firewall (I like Vallum and Little Snitch on MacOS as examples) and filter applications by domain + port on outbound requests, block all inbound requests.
3. On every client device force it through a VPN to a gateway device internal to your network to get internet access, anything that falls off the VPN is then blocked from the internet. The gateway device can forcibly route traffic and perform additional filtering
4. On every client device, configure it to use an internal DNS on your network with a fallback to a trustworthy external provider, have the internal DNS use a trustworthy external provider over DoH. Block outbound DNS at the edge device
(blocks all non-encrypted lookups).
It's kind of a pain, and a mess, but it does greatly restrict the damage that rogue IoT / Smart devices can do.
Unless they provide a VPN it is only blocking the not-so-bad-actors. Everyone else use hardcoded DNS IPs. If you look at traffic from an Android phone you will get lots of DNS requests to Google DNS no matter if you use NextDNS or not. If you only provide one (primary) DNS IP in android 8.8.8 8 (Google DNS) will even be used by default together with your DNS provider. Same is going on in iOS. If they do provide a VPN then it isn't really for a lay audience IMO but it is the only thing that isn't like pissing in the wind.
I personally use doh_blacklist with around 170ips, where I block outgoing traffic for known (publicly and not so) internet reachable doh resolvers. There is no problem(+) - everything works perfectly.
ipset create blist_doh hash:ip hashsize 1024
for ip in `cat /etc/bin/blist_doh.txt`; do ipset add blist_doh "$ip"; done
iptables -A <insert some iptables placement specific to your outgoing/forwarded traffic> -m set --match-set blist_doh dst -j DROP -m comment --comment 'SPY:all ext DoH BLOCKED'
Still, as of 2021, doh rule is around 2% traffic logged compared to my other rule, where I simply block outgoing 53/udp (except my resolver). a LOT of your devices ignore your dhcp dns settings and try to circumvent it going directly to shady 8.8.8.8 etc.
(*) you shall every few months check and update it.
I have been using NextDNS for couple of days, but since I don't have a static IP, it's obviously not so convenient, I have to reset my IP every time it changes
But otherwise, absolutely great, awesome statistics about blocked/requested domains, countries, etc...
Not sure if VPN would help you much against telemetry in a mobile app. A native foothold in your phone's system gives them access to much better data than they could infer on the server side.
E.g. if I wanted to know where you're hailing from, I'd browbeat you into granting me Location access privileges. If that's too difficult, I'd get you to grant me Files/Photos privileges (this one won't raise too many alarm bells with apps like Discord or Reddit), and then try to read EXIF geotags off your recent photos.
Blokada and others work by using the VPN functionality in Android, to implement DNS blacklists. Alternatively, AdGuard and NextDNS run DNS servers where you can customize the block list, a remote Pi-Hole as you said.
I'm using NextDNS as the system-wide private DNS on my Android phone, it works great and eats less battery than Blokada.
Honestly, if they'd abuse their power given through electron - surely, we the users would start boycotting one way or another. Ultimately, this purpusefully regressing UX for revenue - nobody likes it except the finance department.
> One of the reasons for mobile apps is that adblocking is disabled.
That and revenue is much higher on apps than on the web. I made an android apps for a website. And just alone the android apps made more money than the web version. With less ads.
> Similarly, wrapping websites like Discord or Slack in Electron also gives the website owners full telemetry and tracking that they can't get in a tech savvy browser.
Discord, Slack and other similar webapps can (and maybe do) send telemetry in the same connections used for the app's features. You can't reliably block that.
As it intentionally looks like HTTPS traffic, that's a different game; you kind of have to whitelist rather than blacklist.
Here's an idea that supposes you have some server available: Force all traffic over your network, even when roaming (VPN). Squid+Privoxy as HTTP proxy (your choice if you want to DPI and add own TLS CA as root on devices, in which case you can actually block it, or just do HTTP CONNECT). Optionally also set up a SOCKS5-proxy (microsocks). Configure all applications to go over proxy. Applications that don't support it can usually be "proxified" with tsocks or proxychains4.
Now you have more fine-grained control over your traffic. You can do fun stuff like setting up several incoming ports, several outgoing proxies (including Tor/I2P) and allow/block based on destination, domain, protocol, etc.
Finally disable outgoing traffic on your devices/route to a black hole. Or route it via your VPN at least, where you can do some rudimentary stuff with nftables/iptables. Oh, and something not everyone knows: you can route traffic based on uid/gid on Linux, so on your workstation you can leverage that too selectively control traffic on an application-basis.
On non-rooted Android and iOS, I suspect this is not perfectly achievable but if you have the time you can get pretty far otherwise. It's an arms race and I feel like we can keep up.
Similarly, wrapping websites like Discord or Slack in Electron also gives the website owners full telemetry and tracking that they can't get in a tech savvy browser.
Would an always on VPN, a remote pihole be the only way for privacy?