Hi there,
I see Privacy International has a guide up on Blokada. I did an informal review of its code and found that the developers aren't really transparent about how private the app is and what its actual capabilities are.
- Blokada generates a unique-id per install and shares it with its servers on every interaction with its servers.
- Blokada builds a custom user-agent string and shares it with its servers everytime the user visits its help pages, views the changelogs, checks for updates, downloads hostfile blocklists, for example.
- Blokada redirects almost all of its traffic to its own servers via
go.blokada.org through an analytics company, rebrandly.
- Blokada leaks DNS connections over TCP.
For code refs, see this hacker-news comment: https://news.ycombinator.com/item?id=26310349
Given my findings, F-Droid has flagged Blokada for violating user's privacy: https://gitlab.com/fdroid/fdroiddata/-/merge_requests/8536
The Blokada admins were privately informed about these shortcomings on Telegram over a period of time, starting in December, 2020, and are aware of it.
This isn't a slight on Blokada, which is a commendable project given away for free and made open source, though there is a case to be made whether Blokada (version 4) plagiarized code from Julian Klode's DNS66 project. Lack of transparency has been a theme which is worrying, and add to the fact there's little distinction between Blokada, the non-profit, and Blokada, the for-profit, things get murkier.
In light of this, Privacy International might want to re-consider endorsing Blokada on its website.
Disclosure: I co-develop a similar app, and worked on Android Enterprise & Security team at Amazon Research for 5 years.
cc: @la-carvalho
Hi there,
I see Privacy International has a guide up on Blokada. I did an informal review of its code and found that the developers aren't really transparent about how private the app is and what its actual capabilities are.
go.blokada.orgthrough an analytics company, rebrandly.For code refs, see this hacker-news comment: https://news.ycombinator.com/item?id=26310349
Given my findings, F-Droid has flagged Blokada for violating user's privacy: https://gitlab.com/fdroid/fdroiddata/-/merge_requests/8536
The Blokada admins were privately informed about these shortcomings on Telegram over a period of time, starting in December, 2020, and are aware of it.
This isn't a slight on Blokada, which is a commendable project given away for free and made open source, though there is a case to be made whether Blokada (version 4) plagiarized code from Julian Klode's DNS66 project. Lack of transparency has been a theme which is worrying, and add to the fact there's little distinction between Blokada, the non-profit, and Blokada, the for-profit, things get murkier.
In light of this, Privacy International might want to re-consider endorsing Blokada on its website.
Disclosure: I co-develop a similar app, and worked on Android Enterprise & Security team at Amazon Research for 5 years.
cc: @la-carvalho