Wednesday, July 24, 2019

Lockdown 0.1.1

Juli Clover:

Lockdown, a new app launching today, is designed to be an open source firewall, letting users block any connection to any domain, including those that use ad tracking services and analytics platforms to monitor device usage.

Lockdown is free to download and use, and because it operates on device, it collects no user data. Lockdown uses Apple’s VPN setup to function, though it is not a VPN and will not obscure your own IP address.

This sounds great, although it looks like you have to manually enter the domains to block, and they are blocked globally and permanently. Whereas, Little Snitch on the Mac prompts you interactively, its blocks can be temporary, and you can have different settings for each app.

Note that the actual name of the app in the App Store is “Lockdown Apps”. That’s currently the fifth app in the list when I search for “Lockdown.”

The source is available here. Being able to compile it yourself—from code that anyone can inspect—makes it a bit more trustworthy than downloading the version from the App Store, which you can’t prove matches the published source.


7 Comments RSS · Twitter

It sounds great, but blocking each domain individually is tedious. AdGuard pro for iOS has had blocklist subscriptions for at least 2 years via its “Privacy Module”— I run “Steven Black hosts” which blocks 43,000 of the most malicious domains.

Lockdown to me is more like an /etc/hosts file + GasMask. It’s preloaded with sites that should be blocked no matter what. And yes, I run /etc/hosts file, Little Snitch *and* AdGuard macOS and they all catch different things. What’s nice is that Apple now allows explicit local proxy blocking on iOS. It’s sorely needed.

I think the problem of “can’t verify against what’s in AppStore” rests squarely with Apple. These are the Duet Display devs, IIRC they’re ex-Apple. Anyway it’s good that Apple is allowing local proxy blocking apps now.

@Leo I don’t understand why you think it’s an Apple problem. You can’t verify that non–App Store Mac apps are what they say they are, either.

Hey Michael,

I'm Johnny Lin, co-creator of Lockdown. Thanks for writing about this, love your blog!

We do have preconfigured default lists already in the app (FB SDK, crypto mining, Email Tracking Pixels, etc) that we're aggressively expanding on in the next version -- this is the first release and we wanted to get it in the hands of the users so we could iterate and improve quickly.

Thanks for pointing out that Lockdown is open source - we think it's *absolutely bonkers* to use a non-open-source firewall, because you give it permission to ingests all your unencrypted connection data. And yes, we wish Apple would publish some type of hash or verification.


It’s Apple’s problem because they have a security team, and they can/should police claims of “open source”. They have the resources to build against source and run unit tests against what’s on github and what’s in the store. Too much deviation and they could reject the app.

They’ve spanked developers for “back end modifications” to apps in the past, this is just one more security check to ”protect the realm” that is the appstore.

And no, I don’t think devs should be required to post source, But I do think that if those claims are made, Apple should add verification to their security model. And yes, it’s admirable that the Lockdown and AdGuard devs post their source, Apple should rake advantage of that and make unit tests, especially for these new(er) “firewall” (net filter) apps.

@Johnny Thanks for making this app and releasing the source. I should have mentioned the built-in lists, as they help. But, to me, the main issue is not the manual aspect but that the timing is reversed compared with Little Snitch. If I don’t know to block something ahead of time, I can’t stop it until after it’s already transmitted data. Whereas, with an interactive design, I can see what’s going to happen and make a decision on the spot, before it goes through. I do realize that what I want may not be possible given the current iOS APIs.

Johnny, I love open source too, but iOS isn't open source, so I guess you "give it permission to ingests all your unencrypted connection data" too. There's trust involved ultimately.

Anyway, even if it's open source, don't you still need an AppleID to compile/install anything?

It works via the VPN Settings but without opening a real VPN, as far as I know. To create the VPN, you must enter your ios device password into a dialog that I never seen before. Until I know fore shure that this dialog is direct from iOS and not from the app, I don´t enter my password.

Lockdown does not work on VPNs. (The Observer)

Leave a Comment