
Apple Pulls 60 VPNs from China App Store - callumlocke
http://www.bbc.co.uk/news/technology-40772375
======
merricksb
Extensively discussed 2 days ago:

[https://news.ycombinator.com/item?id=14880659](https://news.ycombinator.com/item?id=14880659)

------
halfelf
Very sad. Though I have an alternative apple account outside CN, prepared for
this long time ago, it still brings me some inconvenience. These days you
can't trust any mega corp, they will eventually store our (Chinese citizen's)
data in CN.

Another explanation is the upcoming 19th National Congress of CCP. Recently
many policies have been published to restrict freedom of speech, indicating
the leader now might desire another 5 year presidency.

~~~
abhi3
>indicating the leader now might desire another 5 year presidency.

Might? The consensus outside China seems to be that another term is a forgone
conclusion

------
Severian
So does the Great Firewall do deep packet inspection? I take it that it does,
and blocks any protocols that it detects that allow tunneling/traversing the
firewall.

What if there was a method of changing the standard data formats to be
randomized based on one time authorization codes? So your SSH/SSL/L2TP/etc was
mangled around to something corresponding to a one time auth function.
Basically pre-encrypting or obfuscating to avoid the deep packet inspection.

~~~
robert_foss
Have a look into the arms race between the Tor project and the Great Firewall
of China.

~~~
yoran
Related to this, this an interesting paper that clarifies how the Great
Firewall discovers Tor nodes by doing active probing:
[https://nymity.ch/active-probing/imc2015.pdf](https://nymity.ch/active-
probing/imc2015.pdf). No deep packet inspection is necessary when you pretend
to be a Tor user and can identify the typical response for a Tor node.

~~~
swiley
Perhaps this could be defended against by probabilistic connection rejection?

------
pestrov
Seems like something similar would happen in Russia this Fall too.
[https://www.reuters.com/article/us-russia-internet-
idUSKBN1A...](https://www.reuters.com/article/us-russia-internet-
idUSKBN1AF0QI?il=0)

~~~
loceng
Hasn't Russia been trying to buddy up with China? And Turkey and the
Philippines are going through interesting transitions as well.

------
AlexGizis
Speedify got pulled Saturday morning: "your application will be removed from
the China App Store because it includes content that is illegal in China,
which is not in compliance with the App Store Review Guidelines: 5. Legal"

------
emsy
It sucks that you can't simply sideload apps like with Android (it is possible
but has many restrictions). That's my main gripe with iOS. Without Apple's
servers your device is virtually useless. Apple pulling those apps would be a
non-issue.

~~~
shimfish
As a developer who makes a living charging for apps, it's wonderful that you
can't simply sideload apps like with Android.

~~~
amirmc
I think the above comment is somewhat orthogonal to getting paid. The issue is
that the Apple App Store is the only marketplace (realistically).

For example, I try to avoid the Mac App Store and buy/download direct from the
vendor, where possible. I can't do that on iOS.

------
4ad
What exactly is a "VPN app" for iOS? How does it work? I was under the
impression that iOS natively supports VPNs through IPsec (and perhaps a few
other technologies), and that it doesn't have tap/tun devices, nor it allows
installing kernel drivers to create tap/tun devices so you could not use e.g.
OpenVPN.

So what do these VPN apps actually do? Are they just a front-end for some
service, but the phone still uses IPsec? If that is the case I assume you can
configure IPsec manually?

Can someone explain? A link to some technical document would be amazing.

Thank you!

~~~
giovannibajo1
Apple allows to implement new VPN protocols as a sandboxed plugin that
communicates with the network manager; this was implemented in iOS 9 as part
of the larger ios8 effort of implementing sandboxed plugins like custom
keyboards.

A vpn app contains such a plugin, plus the required user interface to
login/configure the service. The user downloads the app, configures it
providing credentials (or gets auto configured through a MDM) and then the vpn
network appears in Settings, among the other VPNs created with a builtin
protocol like IPSec.

The vpn plugin is obviously sandboxed with the minimum possible privileges.

This is a WWDC video explaining it:
[https://developer.apple.com/videos/play/wwdc2015/717/](https://developer.apple.com/videos/play/wwdc2015/717/)

This is a blog post with a tutorial: [http://www.hideme.io/blog/en/ios-9-vpn-
api-network-extension...](http://www.hideme.io/blog/en/ios-9-vpn-api-network-
extension-udp/)

This is the entry point for the official documentation for all kind of network
plugins, of which VPN is one:
[https://developer.apple.com/documentation/networkextension](https://developer.apple.com/documentation/networkextension)

~~~
4ad
Thank you very much for this explanation. It would be great if macOS worked
the same. Personally, I try to use IPsec VPNs as much as possible, and then I
use the built-in networking on my laptop, but quite often my clients require
of me to use their Cisco AnyConnect VPN, which basically requires installing
kernel modules.

Edit: actually after reading your link, it appears Network Extension is
supported by macOS as well? That would be great news, if vendors would also
update their apps to use it.

~~~
johncolanduoni
OpenVPN can do both routed and bridged connections on macOS without kernel
modules (using a tun/tap device, as it does on other Unixish platforms). This
requires administrative privileges though, which is what Apple's API is
designed to avoid.

~~~
4ad
> OpenVPN can do both routed and bridged connections on macOS without kernel
> modules (using a tun/tap device, as it does on other Unixish platforms).

But macOS doesn't have a tun/tap device. It needs kernel drivers to create
one.

In either case, my main gripe is with Cisco AnyConnect, not OpenVPN. Cisco
AnyConnect is very popular, I haven'd had any client use OpenVPN, though many
do use IPsec.

------
sumanthvepa
Just out of curiosity, how do businesses in China that have remote offices
secure their communication? It must be hard without VPNs.

~~~
Yeri
As far as I have been able to figure out and remember from my time in China...

Businesses are technically allowed to have VPNs. China still relies on foreign
companies and a lot of Chinese companies rely on for example adwords to
promote their business outside of CN. (this doesn't mean it's uncommon for CN
to try to hack into these VPN tunnels, but the goal is not blocking access,
and more about corporate espionage).

The Great Firewall also operates on a (customer) ISP level (rules and DPI
varies per ISP and city) and not so much on outgoing traffic.

Most western companies rent fiber directly that is not affected by the GFW.

For example I know they could easily spot OpenVPN traffic and send RST packets
to the host (also any DNS request with _vpn_ is often send to a honeypot).
IPsec had better chances of success (perhaps because that was less common?).

The VPN (and information control) targets mostly local Chinese. They don't
care too much about tourists (collateral damage).

~~~
devy
When I travel there I noticed that if I am roaming on the mobile network (with
U.S. carrier SIM card but service provided via China Unicom), Facebook was
accessible, do you know why?

~~~
TorKlingberg
You data is routed as phone network data to your U.S. carrier, who has the
gateway to the internet. This is because mobile data protocols were originally
not designed with the Internet in mind, but as a separate network. The
internet gateways were added on later.

------
unstatusthequo
It's fine, the Chinese piracy apps will continue to support freedom of
information. </snark>

The irony of that is alarming.

------
brady747
Now, if china makes them pull shadowsocks(R) clients from the apple/app/itunes
store...then we'll know they are serious. Sorry for all the vpners in china on
apple, at least you can go get a cheap android device in china and monkey
around and patch together a mobile vpn based solution of some sort.

------
duncan_bayne
[https://m.youtube.com/watch?v=R706isyDrqI](https://m.youtube.com/watch?v=R706isyDrqI)

Perhaps someone should show Tim Cook.

------
vincnetas
ssh -D 12345 infidel@secret-server.com

~~~
zserge
Unfortunately, this method has been blocked years ago. Well, not blocked
completely, but the speed slows down to zero (packet loss grows up to 100%)
within a couple of minutes making it practically unusable.

~~~
dlb_
Is normal SSH blocked too? How can they determine that the SSH is used as a
tunnel?

~~~
tempay
It's possible to detect even if the packets can't be decrypted (there are
commercially available solutions for corporate firewalls as well). This post
gives some interesting insight into some of their blocking capabilities.[1]

[1] [http://blog.zorinaq.com/my-experience-with-the-great-
firewal...](http://blog.zorinaq.com/my-experience-with-the-great-firewall-of-
china/)

~~~
bspammer
Can anyone in China confirm if the solution in this article (padding the
packets to random lengths) still works? I'm heading out to China later this
year and it would be nice to have this as a backup if my VPN doesn't work.

------
epynonymous
i can still download vpn clients from the us apple store from china, it's not
a big deal, thus far, though annoying.

~~~
bmelton
The assertion made on NPR this morning was that it was likely that the
'approved' VPN clients that remain on the App Store are likely to have
backdoors to the state.

I have no knowledge on that, so if that's an absurd assertion, please feel
free to let me know.

~~~
paradite
Can't find any NPR news on that except this old story that mentioned nothing
related to backdoor or approved VPN:

[http://www.npr.org/tags/540281875/vpn](http://www.npr.org/tags/540281875/vpn)

Any links?

~~~
bmelton
It was the radio Q&A segment. The speaker had a British accent, but I don't
recall the name.

------
new2424141
does stunnel over openvpn bypass the GFW ?

------
wuxb
OKay. Make China North Korea. #MCNK

------
onewhonknocks
What is their alternative?

~~~
sangnoir
Ask Google[1].

1\. Google complied with the China's censorship laws for a while, but since no
good deed goes unpunished - they got hacked by China. Only afterwards did they
decide to leave the Chinese market altogether and no longer censor their
Chinese results. They do get blocked now, from time to time (or depending on
keyword, I forget).

------
junkculture
China : "Jump!" Apple : "How high?"

~~~
romanovcode
Only thing that concerns Apple is to make money. They don't have a moral
ground on issues like these because they are a business.

Don't tell us you would say "no".

~~~
veidr
Speak for yourself, dude.

I would say "no". Tons of us would say "no".

There are various things on this spectrum that any business can choose to do,
or not do: use child labor, use political prison labor, dump toxic waste in
public streams and rivers (after funding lobbyists to make it legal), etc.

~~~
kryptiskt
Even simpler, they could just allow sideloading of apps so they don't have to
be the gatekeeper defending China's interests.

~~~
veidr
You're absolutely right; there's a moral dimension there, too.

(And not just in China. For instance, Apple banned an app I used to keep rough
tabs on how many civilians my democratically elected government was killing
with drone strikes.)

------
_pmf_
"Where we're going, you'll need no VPN!" (spoiler: it's an internment camp)

