The graphene FAQs suggests not to use ad-blocking apps, describing a specific app as an example. It is noted that ad-blocking apps function in a way that may cause security issues and that they would need an implemented VPN service (https://grapheneos.org/faq#ad-blocking). I just wondered if this applies to other apps like NetGuard, TrackingControl and Adaway as well or if they function differently.
Are there more drawbacks of ad-blocking apps compared to system-wide ad-blocking via DNS-Servers (assuming the same blocklist is used to prevent differences in potential fingerprinting)? I'm looking forward to hear your opinion
System-wide ad-blocking compared to ad-blocking apps
cactus457 I just wondered if this applies to other apps like NetGuard, TrackingControl and Adaway as well or if they function differently.
These apps wont work for the same, but also different reasons:
- NetGuard uses a VPN service which has the same issues. NetGuard is mainly used as an app to block internet access for other apps. This is a GrapheneOS feature, you can block Internet access of an app via the permission settings which takes away an app's INTERNET permission, which is a far more secure method.
- TrackerControl uses a VPN service, which has the problems previously mentioned.
- AdAway uses a VPN or changing of the hosts file via root access. Root access is not supported.
cactus457 Are there more drawbacks of ad-blocking apps compared to system-wide ad-blocking via DNS-Servers (assuming the same blocklist is used to prevent differences in potential fingerprinting)? I'm looking forward to hear your opinion,
Ad blocking via applications are not foolproof solutions as they, as explained in the documentation, degrade other security mechanisms to make these features work. Meanwhile, a private DNS server (the recommended option) doesn't have to do any of those things. Using these apps also would mean you cannot use a real VPN or Tor at the same time for some privacy. While a VPN would override the DNS, some real VPNs provide ad blocking functionality anyway, rather than these half-baked implementations.
Thanks for your explanation! :)
- Edited
Adblocking apps can do domain based blocking, and they can do it per app. For example app A can access google.com, but app B can't. A system wide blocker does the same thing however it can not distinguish between apps and therefore blocks a domain for every app.
Proper ad blocking (which includes specific javascript blocking), specially for the browser requires the content of the contacted domain to be seen, which requires the deciphering of https content. This way "some" objects of the "same" domain can be blocked, while others not. For example "google.com/Picture.jpg" can be blocked while "google.com/page.html" still works. Paid version of AdGuard app does this.
However these apps block the VPN slot and so you can't use a VPN at the same time. Unless if the app also provides a VPN for you, which is rare.
Whether any of these apps or system-wide (external) blockers are of use to you or not really depends on what you are trying to block.
If you just need adblocking for the browser, then using a browser with inbuilt ad-blocking is a better choice because you can use a VPN that way as well, and they implement object based blocking.
Using a dns blocking app is useful if you want to block a specific app from reaching a particular domain while not blocking it completely. But this usecase is somewhat rare.
Another case is if you want your whole system not to communicate with a certain domain. For example you want absolutely nothing sent to facebook.com. In this example both system-wide (external) and app based DNS blockers can do it, but the app will block the VPN slot. Also using a VPN (in the VPN slot) and the "external" blocker might not work because the external DNS blocker only sees the connection to the VPN server.
As @final said, some VPNs do have adblocking dns lists, but they are not customizable (add your own domain). Good for adblocking, not good for blocking specific domains.
These systems each have some useful use cases, but it just depends on what you need and what you can sacrifice, because there is a drawback to each system.