[guardian-dev] system-wide ad blocking without root
Chris Kuethe
chris.kuethe at gmail.com
Tue Oct 25 19:26:17 EDT 2016
On Tue, Oct 25, 2016 at 3:25 PM, Hans-Christoph Steiner <
hans at guardianproject.info> wrote:
>
> Its a tricky question, since an adblocker could prevent a lot of sites
> from working, or maybe even Android apps. I'm not the expert, but it
> seems that here is very minimal tracking risk from ad sites if
> javascript is disabled.
>
So you break things - that's a risk of messing around with DNS. I
conjecture that everyone who runs ad blockers understands that sometimes ad
blockers will break something and they have to decide what's more important
in that situation: accept the risk and unblock whatever, or accept the loss
of functionality and leave whatever blocked.
This may be safer than manipulating the hosts file since you can always
turn off your vpn if you think the local DNS-over-VPN is serving bad data
and the OS will let you know that a VPN is active and you don't need to
make changes as root. Or it may be less safe because of those very things.
I'm also not familiar with ad-hosting in Android apps. Is the network
> traffic handled by the app? Seems like in that case, the system-wide
> DNS filter would aide privacy.
>
There are tons of ad libraries linked into applications; here are the ones
that minminguard knows about:
https://github.com/chiehmin/MinMinGuard/tree/master/app/src/main/java/tw/fatminmin/xposed/minminguard/blocker/adnetwork
It's an xposed module and depends on a rooted device (however that fits
into your risk model) and it works by basically preloading no-op libraries
in place of the real ad libraries. It can't protect you from requests that
the app makes without using a known library - for example when it creates a
web view to a page with ads. Those could potentially be blocked by putting
their ad servers into the dns blacklist, until they do something like proxy
both the ads and the app service through the same hostname :(
>
> .hc
>
> Nathan of Guardian:
> > I have considered this as an Orbot feature, along with some of the No
> > Root Firewall /Little Snitch capabilities. Obviously that would impact
> > anonymity, but perhaps no more than NoScript or HTTPsEverywhere already
> > does?
> >
> > On Tue, Oct 25, 2016, at 01:28 PM, Hans-Christoph Steiner wrote:
> >>
> >> This is an interesting app: DNS66. It uses the VPN API to provide
> >> system-wide ad blocking without root access. It just handles DNS, no
> >> other traffic, and uses the standard ad blocking blacklists to filter
> >> the DNS requests.
> >>
> >> https://www.reddit.com/r/Android/comments/59a8qm/dns66_
> a_dns_based_adblocker_that_works_systemwide/
> >>
> >> .hc
> >> _______________________________________________
> >> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> >> To unsubscribe, email: guardian-dev-unsubscribe at lists.mayfirst.org
> >
> >
>
> --
> PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
> https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
> _______________________________________________
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> To unsubscribe, email: guardian-dev-unsubscribe at lists.mayfirst.org
>
--
GDB has a 'break' feature; why doesn't it have 'fix' too?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20161025/937dc602/attachment-0001.html>
More information about the guardian-dev
mailing list