App developers try to stay 1 step ahead of government censors in 'intelligence game'
As network monitoring tools get more sophisticated, app developers work on new ways to stay unnoticed
Michael Hull recalls a time when frustrating Chinese government censors was as simple as bringing another server online.
Hull's company develops a censorship circumvention tool called Psiphon, popular in countries such as China, where access to information online is tightly controlled. It used to be that when the addresses pointing to Psiphon's servers were discovered and blocked, Hull would simply bring a new server with a new address online — until that server, too, was found. And on and on it would go.
But times have changed. As software designed to evade censors and software blocks has improved, so has the technology used by governments to curb its use.
Hull's app was one of numerous services removed from Apple's Chinese App Store over the weekend at the behest of the country's government, which announced its intent to block all such unregulated services by February 2018.
- Apple removes VPN apps in China to adhere to new rules
- Big Brother collecting big data — and in China, it's all for sale
On Sunday, the Russian government also announced the signing of a new law banning the use of virtual private network (VPN) services and anonymity software as of Nov. 1.
For service providers, putting circumvention software into the hands of users has always been a challenge. But in the midst of such aggressive crackdowns, there is added pressure to ensure their software will continue to work in the face of increasingly sophisticated countermeasures that require more novel workarounds to defeat.
"It's becoming less of a cat and mouse game, and more of an intelligence game," Hull said.
Traffic in disguise
In places such as China, gone are the days when sidestepping simple keyword filters or application-specific blocks required little more than a VPN or the anonymous browser Tor. Internet filtering technology used in some countries has reached a point where it can detect and block the evasion tools themselves.
As a result, there is a handful of efforts to develop new and improved evasion tools that, to a censor, don't look like evasion tools at all — a practice called traffic obfuscation. The goal is to take connections to sites and services that might otherwise be blocked and make them look more or less the same as connections to content that's approved.
Sometimes, the process is a sort of bait and switch. A user might look like they're merely visiting Amazon or Google, but their connection is actually redirected to blocked content. Other times, the traffic itself is disguised to look like the traffic of an unblocked app, such as Skype, or randomized in a way that looks unlike anything the censor has previously seen.
At the University of Waterloo, PhD student Cecylia Bocovich and professor Ian Goldberg have been developing an experimental technique called Slitheen that hides censored content inside requests for images and videos from approved sites. The hidden content is made to look as close as possible to the approved content as it travels across the network, making the evasion even harder to detect.
However, there are often shortcomings with such techniques, which is why services like Psiphon, as well as Lantern and VyperVPN, use several different approaches to routing and obscuring traffic designed to evade a variety of censorship techniques that can vary between countries and network operators. This approach has made them especially effective in places such as China, at least for now.
"They just sort of throw out the kitchen sink of techniques," said Nathan Freitas, a fellow at Harvard University's Berkman Center for Internet and Society, and a developer of a mobile Tor-based web browser for Android phones. "So China basically gave up trying to block all of these techniques and said, 'Let's just block the app, and Apple will do it for us.'"
App stores 'a weak link'
Multiple VPN service providers have said in recent days that their apps are no longer available in Apple's Chinese App Store. It's not the first time an app has been removed, but the scope and scale of the crackdown is significant. In a statement, Apple said it was "required to remove some VPN apps in China that do not meet the new regulations."
It's a decision that some believe could set a bad precedent for future requests by governments elsewhere in the world — even Western countries that aren't typically lumped into the same category as Russia or Iran.
The U.K. government, for example, recently announced it will require individuals to register and submit proof of their age before they can access pornographic websites.
"What is that going to mean for people who are using platforms to access porn websites anonymously?" said Eva Blum-Dumontet, a research officer at Privacy International.
In other words, might the U.K. follow China's lead and target circumvention apps that help citizens to flaunt its content laws? Blum-Dumontet says it's a reminder not to think of censorship as something that only happens in countries with reputations for being repressive.
Although the apps that were banned in China remain available in other countries' App Stores, Freitas says the decision is still a big blow. Unlike Android users, who can configure their phones to accept applications from outside the official Google app store, Apple only allows apps that it has approved.
This means iPhone or iPad users who might have previously been able to access an unrestricted internet with little more than an app will now have to turn to more complicated workarounds, or other devices entirely.
"The App Stores are a weak link in all of this stuff," Freitas said. He's not sure how far governments will go in blocking new and novel evasion tools — in particular, ones that rely on traffic obfuscation.
But one thing is clear: "Apple provides a quick shortcut."