The problem Link to heading
While going through my backlog of various bookmarks, I came upon one CCC presentation titled ‘How Facebook tracks you on Android’ that sees researchers from the organization ‘Privacy International’ go through their findings on the ways Facebook tracks users on Android, outside of any use of their own applications and without any permissions from users. They do this through the implementation of the Facebook SDK in the various applications available on the Play-Store.
I am even guilty of having integrated it into products that I have worked on in the past.
And this is obviously nothing revelatory. It has been for a long time known that almost every part of the Facebook ecosystem phones home to HQ with as much information as can be carried, often against each location’s regulations and laws. For instance, Facebook creates a shadow identity for all users online that it happens upon who aren’t registered Facebook users and it does this so that it can track these individuals just like their own users. However these individuals never get the chance to opt in. Sound legal to you?
And the primary mechanism of phoning home? Just those small conveniently placed social networking components that litter every webpage, such as the ‘Like’ button and comment boxes. These gather information no matter if you are logged into Facebook, using incognito mode or going through a VPN.
There is a reason why I quit Facebook last year, and had way before then already started blocking Facebook’s ecosystem on my network through the use of the excellent Pi-hole and some well placed configurations on my Ubiquity EdgeRouter X-SFP (highly recommend these!).
In effect, all social web component from Facebook are blocked such that they never even load in. Instead of ‘Like’ buttons and comment boxes, there are only empty html elements. Any connection attempt to a DNS known to be associated with Facebook is blocked. Any attempt to contact a IP number known to be associated with Facebook is blocked.
Obviously there is always the possibility that my setup hasn’t synced with the latest public record and that some information gets through. But all in all, this drastically limits the amount of information that Facebook is able to harvest about me and what I do online.
As long as I am on my own network that is.
In the presentation the researchers go through their findings where, like the web elements from Facebook mentioned above, the SDK sends bucket loads of information to HQ when apps containing it are run. Even in cases where the user isn’t even using that part of the application and when the developers have even opted out of sending analytical data to Facebook (which Facebook obviously doesn’t have as the default setting).
So what to do then? I will have to go leave the safety of my home network once in a while (though the current pandemic is giving me plenty of possibilities of staying at home), and even though I wouldn’t, the SDK is still alive and kicking on my device, slowly gathering data each time I open up a application that has it integrated and just waiting for the moment to deliver it all to its overlords.
The fix Link to heading
Any kind of filtering will have to be done on the device it self if it is supposed to be able to move outside of the safety of home base. To achieve this there are options, one of which is to run a local VPN client on the device.
By running a VPN client on the device that acts like a VPN sinkhole, similarly to how Pi-hole functions, you can easily filter out as much of the internet as you see fit. This is obviously not a bullet proof way of filtering all domains, as new ones can pop up that haven’t yet been filtered. Or an application may ship its own internal hardcoded DNS servers, which would override any filtering done in the VPN client. Or a few other ways this may not fully work.
Overlooking these possible edge cases, lets jump into how to set up a DNS sinkhole VPN on an Android device.
While there are options on the Google Play store, I would not feel comfortable with using a closed source application for this purpose. Whatever client you decide to set up will gain major access to all network activity on the device, so choosing a recognized client which is developed in the open is crucial in my mind.
In order to eliminate as much friction as possible, I am going to recommend setting up the F-Droid store application which is a third party Android storefront that only hosts open source applications.
Once installed and configured, there are now a few options to choose from. In my experimentation I have tested out both DNS66 and personalDNSFilter both of whom seem to work quite well, with the latter winning it out for me as DNS66 kept having some technical problems (disconnecting and other such problems).
Opening up the app, at first glance it looks very utilitarian and it took me some time playing around with it to figure out how it’s UI functions. Toggling an option expands it, exposing more sub options below it, while toggling it off closes the ‘drawer’ (instead of disabling the functionality as you would normally expect with a toggle).
The UI design aside, the application works pretty much straight out of the box.
To filter certain domains the ‘Advanced settings’ need to be opened and then ‘Configure additional hosts’. In here, individual hosts can be listed either as denied or approved (the screen opened in the application will give proper instructions). Once done with adding in hosts, toggle the ‘Configure additional hosts’ again to close it, and do the same with the ‘Advanced settings’ one.
To apply the changes the client will need to be restarted using the ‘restart’ function on the main screen.
What ever domain(s) that you added should now be either allowed or blocked in (almost) any application on your device.
To test if everything is working as it should, open up a browser window and try navigating to a domain that you just blocked. If things are working you should have an error come up, and a red line inside of the client application will show that it blocked the url.
But hang on, that is not all! Link to heading
While manually adding domains to the list is all fine and good, it is not a strategy that will work long term. Companies like Facebook continually add new domains to their infrastructure, and so capturing them all and keeping up with a ever changing domain landscape can be daunting (if not impossible).
Thankfully there are communities out there that are doing this already, and have graciously shared these lists that they curate with any and all who would want to use them.
One such collection of lists is the excellent jmdugan/blocklists repository on Github. In there can be found domain lists for various big corporations and ad networks.
For the purposes of this article I will be focusing on the Facebook/all-but-whatsapp list, as I still have individuals I chat with occasionally on Whatsapp (though this is thankfully becoming rare as most if not all of my interaction now takes place through Signal).
Opening up the app and togging the settings, then the ‘Configure filter update’ brings up a small modal screen. In here the filter lists that are being used can be enabled, disabled or new ones added. Click on the edit button for a empty line at the bottom and add the link to what ever filter list you want to use (make sure you trust the source!).
After adding the list to the filters and enabling it, back out to the root and trigger a ‘restart’ of the client. This will cause the new configuration to be downloaded and enabled.
The client will now also fetch a new version of the list that you added every 7 days, keeping you updated with the latest version and any changes it might bring. This interval can also be configured in the settings.
Conclusion Link to heading
If you were following along then congratulations! You have now filtered even more of the Facebook ecosystem out of your personal computing sphere, freeing you just a little more from being spied upon.
There is in fact no limit to what domains you can block and filter, so go look at what block lists are available or even start your own.
Now I am personally hoping that ProtonVPN, which is also developed in the open and has its entire business model revolving around the privacy of their users, will introduce this kind of DNS sinkhole options in the future, as there is only ever going to be one VPN client running on a Android device. And sometimes you also want normal VPN functionality ontop of some privacy.