How to preempt data exfiltration on iOS?

I have a security problem. Most of you probably have the same problem, and perhaps a few of you have solved it. I’m eager to hear more if you did. Here goes:

I’m talking specifically about iOS here, but could as well be talking about Android or others. Imagine that you need a useful app which doesn’t need to connect to the internet. The simplest example would be a photo editor. You find an app that supplies all the functionality you want, so you install it. During the install, it asks for access to your photos. (You can give it access to just some of them on recent iOS iterations.) You do so because, well, there’s no way to edit a photo without accessing it.

Game over. Sooner or later, your data is exfiltrated to (fill in app developer’s favorite country here) via innocuous-looking traffic to a domestic IP. Probably it happens surreptitiously and at low bandwidth, but it happens nonetheless.

There are some obvious solutions:

(1) Buy a separate phone and download all the apps you want before opening any of them. Then disable its internet access. Now you can use all the apps. When you want to edit something, you need to USB it over. If you discover that you’re missing a key app, delete all the apps, connect the internet again, and repeat the process.

(2) Download only the app you need at the moment. Disconnect the internet. Open the app. Run it as much as you like. Delete the app. Reconnect the internet.

(3) VPN apps can obviously intercept traffic, and some of them can do this on a per-app basis. Therefore, install a VPN app, but connect to an unresponsive server which will ignore all the traffic from the untrusted apps. Route only the untrusted ones to the VPN. This should be straightforward, but good luck finding a VPN app that will allow you to connect to “any old” server and just be happy that it’s unresponsive. (Can you?)

(4) Beg Apple to add an “allow internet access” switch in every app’s settings. Currently, this only applies to mobile data, not wifi or Bluetooth.

All of these solutions suck. And moreover this catastrophic design flaw could hardly be more obvious. Is there any more elegant or economical solution than what I’ve posted above?

A tracker blocker app, which will not only block known trackers, but also allow you to blacklist any attempted connections manually.
See: https://www.lifewire.com/why-you-still-need-a-tracker-blocker-on-ios-5181782

In Android, you can allow or disallow internet access for any app, although if the app needs a connection to work, then it wouldn’t make sense. Does iOS not have such? (I don’t know, myself.)

You could just as easily do your editing on computer.

P.S. I use this one on my Android with /e/OS: https://blokada.org/

You can also select your apps based on the privacy rating at which Exodus scores them:
https://exodus-privacy.eu.org/en/

This is what I do on de-googled calyx os. For example, I use google camera but deny it internet access.

BTW, tracker blocker apps use the VPN slot, which prevents you from using an actual VPN while the blocker app is on. But the way I see it is, I only really need the VPN when using the browser, which I’ve loaded up with NoScript, uBlock Origin, etc., anyway, so I’m OK with turning off the blocker app and then enabling the VPN just while I’m browsing.

I typically don’t install and certainly wouldn’t keep apps with bad privacy practices, as far as I know, and I always verify what they’re doing in the background by checking the connections in the blocker app. That’s why I’m comfortable with the alternating VPN/blocker app strategy.

@amarok In the height of irony, that Lifewire page blocked my privacy-enhanced browser. But Blokada has totally made my day. I gave you 2 likes for that.

<Drools…> Degoogled replacement for Android with app-granular network deniability… definitely deserves a bit fat like, even if not immediately implementable in my case. Filed for future deep dive.

My browser has javascript and cookies blocked by default and that page came up fine.

Would it be a reasonable strategy to set-up an own VPN Server at home on a raspberry pi or something and to filter the traffic with something like OpenSnitch installed on that server?

Or Pi-hole, which is what I use, although only over my home wifi, not remotely.

But with an own-VPN, you lose the benefit of obfuscating/changing your geo-location, and probably your identity.

Don’t forget to check out and possibly enable some additional blocklists in the settings. I think one is enabled by default, but it may not be strict enough for your purposes. (Or mine.)

I hate it when that happens! It’s worth a read, if you can open it with another browser or device.

Yes, but this was not the question in the topic, right?
It was about how to prevent apps of leaking your data to external servers. Not on how to make you anonymous.
And you could run the VPN server on a server somewhere on the Internet that you have rented anonymously.

Hi @Hristo,
if I had an IPhone I’d probably use https://guardianapp.com/ and I advice people who do to do so.
They use my preferred VPS service Provider where there was a longer article about them. https://metal.equinix.com/customers/guardian-firewall/
It could be all smoke and mirrors but then we are talking about Apple with their walled garden anyway.

That’s because you’re not using Tor. Good privacy is a royal pain.

Well, I think the problem you get into is that you never know which IP to block and when. We should expect that a well designed exfiltration app would behave itself for a long while in order to drive us into a state of complacency prior to commencing uploads, and even that at low bandwidth and targetting seemingly local servers. On the other hand, if you go the allowlist route, there are only a zillion addresses that you need to let through so that even your trusted apps work properly (and even then, servers move from time to time). This is why, ideally, I’m seeking app-granular network permissioning. (Why the hell this isn’t regarded as a plain old permission in the same sense as the camera and microphone is beyond me, but apparently not beyond Apple.) Of course, it’s good enough if I can ban the entire IP range, although I wonder how one would would handle IPv6.

Thanks for the tip. To clarify, is there a way just to block all destination addresses on IPv4 (and the equivalent on IPv6) for only one or a few apps? (One problem is that you might be on IPv4 one day and IPv6 the next, depending on the connectivity environment.)

Blokada is strictly a blocker of connections based on published tracker/ad/malware/social/porn/gambling blocklists that you choose and combine (from the settings panel) based on your needs. You can also manually add, as they appear in the feed, any connections you want to ban, which means the first one gets through to its destination, if it wasn’t blocked by a blocklist (and if you were connected to the internet at the time). (These last, for example, might be connections to servers and websites that may not technically qualify as trackers, but which you don’t want to allow in any case.)

For your IPV4/IPV6 needs, and app-level permissions in iOS, I have no idea what can be used for that.

But with Android maybe you can fashion a solution using the equivalent Android app and Anbox.

So … very high effort solution … create a full emulation environment for iOS, run whatever dodgy iOS apps you like, and provide whatever mediation between the emulated environment and the real environment you want.

If you were prepared to accept some risk then you could at least allow the internet access needed by the AppStore and block everything else, permanently. (If going down that road then not having a SIM in the phone and forcing it to use WiFi and implementing the blocking in your local network may work best.)

You would need a second phone to run any genuinely trusted apps that need access to the internet - although it is not clear that you would have any basis for trusting some apps and not trusting others.

I haven’t looked into this but if you choose not to configure WiFi then internet access implies a need for mobile data, and so if you can control mobile data on a per-app basis then you are controlling internet access on a per-app basis. ?

I would think a VPN app will be happy connecting to “any old” server but will not be happy that it’s unresponsive. So you would need to run a VPN server somewhere that responds as a VPN server but doesn’t actually forward any traffic.

Not disputing your overall goal or overall philosophy but I don’t think Apple would see this as a design flaw. They want to provide a networked environment for all apps e.g. so that apps can back up their data to the cloud if not store their data in the cloud.

(Apple only restricts mobile data because it is recognised that mobile data may have lower quota, may cost more and may be slower. The assumption is that eventually every iPhone comes back to its home WiFi, so it is OK to prevent the app from using the internet while out and about.)

Thanks, now I understand the strategy better. It success is basically down to whether you (1) remember to disconnect from the internet the first time you run an app and (2) whether or not the exfiltration address will be hit, so you can block it, before you give up and decide to reconnect to the internet. That might be likely to succeed in the near term, but it seems inevitable that exfiltration in the future will get stealthier as it grows more sophisticated, so I don’t know how long we can count on this working. (Granted, one could periodically revisit the exercise, looking for additional addresses over time, although one would presumably still miss a lot of exfiltration in the meantime.) The only other mitigation strategy that comes to mind would be to disable automatic app updates (which is a double-edged sword) so the dodgy app will never be able to improve its techniques.

Good info! First of all, I probably should have mentioned that I’m not able to test any of this directly because I’m trying to coach a friend across a chat app, which is difficult but sort of manageable. Anyways it’s a worthwhile discussion for the community here. (Personally I don’t use iOS and never will.)

According to him, there’s a question that comes up whenever one installs a new app, which has to do with whether or not the user wants the app to be able to upload personal information. I’m not sure of the exact wording, but this sounds like the perfect solution: just deny permission. However, I have literally no idea what this means. I guess one could install some sort of app that really needs internet connectivity, like a mapping app, then say “no” upon installation and see if it can still zoom maps to high enough detail to prove that it must have been downloading. Would be great to hear from anyone who can test this, as the behavior might also vary by iOS or phone version. My money is on a flag being set somewhere that politely asks the app to be nice and respect my privacy.

The emulation solution would be a nonstarter even I were sufficiently skilled to pull it off, simply because certain apps require high performance just to be useful, unfortunately.

I do rather like the idea of progressive allowlisting, but my understanding is that Blokada in particular doesn’t work like that. It’s denylisting only. This could also be done at the router level, but I personally couldn’t pull that off, let alone coach someone else how to do it on a different brand of router.

Yes, the second phone solution is as good as it gets. It’s just expensive and cumbersome with a doubly large failure surface, obviously. In his case, it’s a last resort.

And yes one could also just forget about wifi and live off WAN, which is already per-app blockable. That’s a great solution except now the phone becomes a bona fide tracker, so one can’t safely use it online at home or office.

As to the VPN strategy, while you can surely use a router to connect to any random nonfunctional node, you can’t AFAIK use a VPN app to do that because it tries to help you by forcing you to select from a list of nodes which are known to be functional. And obviously the router can’t do per-app filtration any better than Blokada.

And yes I’m sure you’re right about Apple not considering this as a design flaw. Security has never been their forte, or even their emphasis. As it stands, an app can just walk out the door with whatever it’s allowed to read off your file system, microphone, or camera, and just say it didn’t (unless I’m wrong about my assumption above, which would be ideal).

This isn’t strictly true, there are routers that can whitelist.