Reality of FOSS projects...A conspiracy?

Great. Hope you will release an app that does all of the 3 items requested.

I tried RethinkDNS yesterday. I think it is primarily useful for devices running Android 8 or lower, because Google introduced the PrivateDNS feature with Android 9. This app allows for controlling that aspect more minutely, something unnecessary for the average user.

The Firewall feature is less useful compared to NetGuard or Karma Firewall. That’s because I didn’t find the option to allow LAN-only access for apps. It is either full network access or none. I don’t know why the LAN-only option is not available with any of the OSes.

Also, simply whitelisting apps under Firewall didn’t work. You have to mandatorily ‘exclude’ apps from both DNS & Firewall (which they call as ‘exclude’) for apps to be able to connect to the internet. Unless this is a bug, the ‘whitelist’ feature (which allows apps to bypass the firewall but not DNS) is useless because it does nothing.

RethinkDNS didn’t do anything that NetGuard or Karma Firewall can’t do. On the contrary, it was less functional (no LAN-only access feature that these apps have) than those two. So not useful for me, unless I am missing something.

I didn’t say that I don’t like the app. I said the app was unable to block trackers. If blocking ‘intents’ is possible with ADB, I may give it a try when time permits.

Not sure what makes you say that. Those phones too use pretty much the same hardware. And these days spyware is introduced at the hardware level, so I am not sure if these phones are indeed as secure as they claim to be.

1 Like

Absolutely. That’s why one shouldn’t use a private device by logging in with real identity.

It must use an anonymous account that is exclusive for a defined purpose, if logging in is essential.

A few things to note.

  1. Open source software is really just freely licensed material. It’s still technically copyrighted but every1 that uses open source apps/programs automatically get a free license to copy, redistribure the software for no additional cost, and legally.

  2. This doesn’t automatically mean the open source apps are private, but the open source apps tend to be more privacy respecting then commercial apps. For instance lets look at the midori browser, (could be a linux or android varient) the browser might just choose not to track you at all but since you are online within the browser doesn’t mean that the sites you visit don’t track you. If you were to use a 100℅ offline app you are more private then an app with direct internet access but other apps could use volnurabilitues in the os to track you. Which is why I recommend using an encrypting note app, as well as encryption, along with a firewall that lets you choose which apps can and can’t connect online.

2 Likes

Google introduced the PrivateDNS feature with Android 9.

Private DNS comes with its own flaws, but of course, it is a native implementation, and works wonders when you set it to point to dns.adguard.com. Shame that Private DNS (DoT) is blocked in censorship-heavy countries, and trivially so.

That’s because I didn’t find the option to allow LAN-only access for apps

This one is coming, but instead of “excluding” all LAN traffic like NetGuard does, we instead want it to continue to flow through the local-VPN. This means, queries / connections going on on the local LAN is also visible. The consequence is, it might take us a bit longer to implement and get it right.

I tried RethinkDNS yesterday.

Nice. Thanks (:

Unless this is a bug, the ‘whitelist’ feature (which allows apps to bypass the firewall but not DNS) is useless because it does nothing.

Ouch. Strong words. ‘Whitelist’/‘allowlist’ is helpful when one doesn’t want to block a particular app like, say, Fairmail. That is, adding Fairmail to the whitelist would exclude it from blanket firewall rules like ‘Block all apps when device locked’, ‘Block all connections when DNS is bypassed’, ‘Block apps not in use (foreground)’ etc.

As for ‘whitelisting’/‘allowlisting’ an app from both DNS+Firewall, that requires considerable work which is already underway: Per-app DNS · Issue #270 · celzero/rethink-app · GitHub The long story short of this feature is, Android makes all DNS queries on behalf of apps, and so, it is not possible to know which DNS queries belongs to which app. Of course, rough heuristics could be used, but when those break, they cause a lot of confusion (a rough heuristic is what NetGuard uses, it works well in 99% of the cases, but that 1% remains unfix-able unless that heuristic is abandoned for a newer one, but then that newer one would work in some cases and won’t in another).

RethinkDNS didn’t do anything that NetGuard or Karma Firewall can’t do. On the contrary, it was less functional.

I have never used Karma, but have used NetGuard briefly before giving up on it. There’s a bunch NetGuard can’t do that RethinkDNS can, but I think those features don’t matter to you, personally. So, your assessment is valid in that context.

Those phones too use pretty much the same hardware.

You mean PINE64, Fairphone, and Librem? I thought those were open firmware?

1 Like

Sorry, had to comment. :smiley:

That is the wrong question, IMO. Just because we can, does not mean we should. Do you carry a wallet, cash, gold, “papers”, valuable jewelry,…? If so, you can get by without Google’s help letting you feel more comfortable being more careless with those valuables. Why not get by without Google’s help letting you feel more comfortable being careless with your device?

That said, thanks for using the sentence form you did: you lose your device, not “a device is lost” like here Keep track of my Bluetooth devices

1 Like

There’s also
https://f-droid.org/packages/de.nulide.findmydevice/

1 Like

Agree with both your points. The point of the OP is just that people must NOT assume (or take for granted) that an app which claims to be open source is safe to use. It need not be so.

2 Likes

That’s what I use. So with that AND Netguard/ Karma Firewall, I am able to block apps from connecting to the internet, but still be able to connect to devices on the LAN, and block ads too on my non-rooted devices.

I still get some notifications from some apps that use Google Play Services to deliver them, even if they have been blocked from connecting to the internet. In the ideal scenario, I would prefer having the ability to completely block an app from using internet, directly or indirectly via intents. Unfortunately, there doesn’t seem to be simple solution yet.

Looking forward to it. There is no AFWall+ like app for unrooted devices. I wish some day an app like that is available for unrooted devices that allow for more controls on the types of connections any app is allowed to have (as implemented in AFWall+).

Are you the developer(s) of RethinkDNS?

Sorry for the strong words. But when the app defines ‘whitelist’ as one where an app can bypass firewall but not DNS, I would expect a whitelisted app to be able to connect to internet. But that’s not what is happening. An app can connect to the internet only if it excluded from both firewall and DNS, so I think this is some limitation in the way RethinkDNS is designed. Whitelist isn’t the best term for how it works.

From what I understood, RethinkDNS allows for finer control on the DNS settings, something not possible with the PrivateDNS feature available with Android 9 onwards. Such level of control are unnecessary for an average user like me. So, I use the adguard DNS and Netguard/ Karma Firewall to control apps’ internet access (also LAN access) while blocking ads. But the problem with this setup is when I have to use a real VPN. Unfortunately, none of the existing VPNs allow for blocking apps, so my set-up becomes very limiting for how I want to use my device.

Also, I often see that my OS kills the VPN app every now and then, in which case too the setup breaks down. But since the OS has a built-in firewall, it is okay for the most part when controlling user installed apps.

I don’t know. I would take everything with a pinch of salt.

1 Like

From what I understand:
The standard OS that comes on Fairphone is just plain old proprietary filled Android last I checked.
They had a Fairphone Open thing that was AOSP, but it was not default.

PinePhone and Librem are mostly open source kernel/user-space, but the hardware might still have proprietary firmware.

PinePhone is not daily drivable.

The Librem is really not affordable at all.

we will be increasing prices for all new orders of the Librem 5 in stages (the phone will be priced at $1199 from all orders received on or after Nov 1st, 2021 and we expect this price to go upward to $1299 in March 2022)

3 Likes

Okay. What about when ‘device is stolen’?

That is fair advice on its own, but I don’t think wrapping it in conspiracy FUD is fair to the free software community, which has always taken such concerns seriously. I wish we could educate users on privacy and security without immediately resorting to such FUD.

Challenge accepted. :slight_smile:

Prevent it by whatever means necessary. Don’t accept inevitability and use Google as a crutch.

1 Like

No offense to the free software community. But this ain’t FUD. This is real possibility. Amd more so when people talk of open source (and platforms that host them) as being totally clean.

With due respect to the community, I don’t see how a free platform or a free product can be sustained purely on voluntary donations. It just doesn’t make for a sustainable business model (even if you argue that this isn’t a ‘business’).

Without sufficient funding, there is no way to have bulletproof security.

1 Like

The need arises only after an unexpected event, which is possible even if you are very careful. This isn’t inevitable, but a possible scenario.

this ain’t FUD. This is real possibility

The real certainty is you are giving your privacy to google for a hope they are more secure. You have no case or evidence of FOSS being less secure. This is FUD by definition.

I don’t see how a free platform or a free product can be sustained purely on voluntary donations.

Many nonprofits are, but I agree that many “successful” nonprofits have some kind of sales, of products, or memberships and services. kernel.org being an exception?

Without sufficient funding, there is no way to have bulletproof security.

Better: Without sufficient funding, there is no way to have bulletproof security, whether FOSS or proprietary.

after an unexpected event,

It should be a very low probability that you lose your phone, one way or another. To me, the low-medium consequence and low probability make it not worth the privacy cost of telling google (precisely) where your phone is located 24/7. YMMV.

2 Likes

As is typical of my me, I’m late to the conversation; but to answer your question:
I think you are correct, unfortunately.

1 Like

You should look up MKUltra and the testimony of Cathy Obrien. It will give you more facts about what your example.

No, I’m glad it went the way it went. I learned stuff, you know, Matrix stuff.

I always assumed you approach any & every app/file as if it could be dangerous no matter what. No different from PC’s… No Conspiracy talk needed…
Lol

1 Like

Challenge accepted

It means different things to different people, but this beat me to it: The ultimate one year review: daily driving the PinePhone | by Camden Bruce | Medium