Hacker News new | comments | show | ask | jobs | submit login
[dupe] Apple Pulls 60 VPNs from China App Store (bbc.co.uk)
127 points by callumlocke 10 months ago | hide | past | web | favorite | 81 comments

Extensively discussed 2 days ago:


Very sad. Though I have an alternative apple account outside CN, prepared for this long time ago, it still brings me some inconvenience. These days you can't trust any mega corp, they will eventually store our (Chinese citizen's) data in CN.

Another explanation is the upcoming 19th National Congress of CCP. Recently many policies have been published to restrict freedom of speech, indicating the leader now might desire another 5 year presidency.

>indicating the leader now might desire another 5 year presidency.

Might? The consensus outside China seems to be that another term is a forgone conclusion

So does the Great Firewall do deep packet inspection? I take it that it does, and blocks any protocols that it detects that allow tunneling/traversing the firewall.

What if there was a method of changing the standard data formats to be randomized based on one time authorization codes? So your SSH/SSL/L2TP/etc was mangled around to something corresponding to a one time auth function. Basically pre-encrypting or obfuscating to avoid the deep packet inspection.

When you have the data about a lot of normal traffic, you can easily spot the abnormal traffic. Then, slow it down or stop it. False positives aren't a huge priority, I don't imagine.

Have a look into the arms race between the Tor project and the Great Firewall of China.

Related to this, this an interesting paper that clarifies how the Great Firewall discovers Tor nodes by doing active probing: https://nymity.ch/active-probing/imc2015.pdf. No deep packet inspection is necessary when you pretend to be a Tor user and can identify the typical response for a Tor node.

Perhaps this could be defended against by probabilistic connection rejection?

For anyone in on this, would be absolutely fascinated by any good, recent(ish) links where this is documented or discussed.

And hats off to the Tor people and all the good work they're doing there.

Seems like something similar would happen in Russia this Fall too. https://www.reuters.com/article/us-russia-internet-idUSKBN1A...

Hasn't Russia been trying to buddy up with China? And Turkey and the Philippines are going through interesting transitions as well.

Speedify got pulled Saturday morning: "your application will be removed from the China App Store because it includes content that is illegal in China, which is not in compliance with the App Store Review Guidelines: 5. Legal"

It sucks that you can't simply sideload apps like with Android (it is possible but has many restrictions). That's my main gripe with iOS. Without Apple's servers your device is virtually useless. Apple pulling those apps would be a non-issue.

As a developer who makes a living charging for apps, it's wonderful that you can't simply sideload apps like with Android.

I think the above comment is somewhat orthogonal to getting paid. The issue is that the Apple App Store is the only marketplace (realistically).

For example, I try to avoid the Mac App Store and buy/download direct from the vendor, where possible. I can't do that on iOS.

What exactly is a "VPN app" for iOS? How does it work? I was under the impression that iOS natively supports VPNs through IPsec (and perhaps a few other technologies), and that it doesn't have tap/tun devices, nor it allows installing kernel drivers to create tap/tun devices so you could not use e.g. OpenVPN.

So what do these VPN apps actually do? Are they just a front-end for some service, but the phone still uses IPsec? If that is the case I assume you can configure IPsec manually?

Can someone explain? A link to some technical document would be amazing.

Thank you!

Apple allows to implement new VPN protocols as a sandboxed plugin that communicates with the network manager; this was implemented in iOS 9 as part of the larger ios8 effort of implementing sandboxed plugins like custom keyboards.

A vpn app contains such a plugin, plus the required user interface to login/configure the service. The user downloads the app, configures it providing credentials (or gets auto configured through a MDM) and then the vpn network appears in Settings, among the other VPNs created with a builtin protocol like IPSec.

The vpn plugin is obviously sandboxed with the minimum possible privileges.

This is a WWDC video explaining it: https://developer.apple.com/videos/play/wwdc2015/717/

This is a blog post with a tutorial: http://www.hideme.io/blog/en/ios-9-vpn-api-network-extension...

This is the entry point for the official documentation for all kind of network plugins, of which VPN is one: https://developer.apple.com/documentation/networkextension

Thank you very much for this explanation. It would be great if macOS worked the same. Personally, I try to use IPsec VPNs as much as possible, and then I use the built-in networking on my laptop, but quite often my clients require of me to use their Cisco AnyConnect VPN, which basically requires installing kernel modules.

Edit: actually after reading your link, it appears Network Extension is supported by macOS as well? That would be great news, if vendors would also update their apps to use it.

OpenVPN can do both routed and bridged connections on macOS without kernel modules (using a tun/tap device, as it does on other Unixish platforms). This requires administrative privileges though, which is what Apple's API is designed to avoid.

> OpenVPN can do both routed and bridged connections on macOS without kernel modules (using a tun/tap device, as it does on other Unixish platforms).

But macOS doesn't have a tun/tap device. It needs kernel drivers to create one.

In either case, my main gripe is with Cisco AnyConnect, not OpenVPN. Cisco AnyConnect is very popular, I haven'd had any client use OpenVPN, though many do use IPsec.

Most are essentially just a UIWebview with preconfigured https proxy

That sounds... awful, the name "VPN" doesn't really apply.

Which is why that’s not the case. iOS supports real VPN:


The legit apps are mostly VPN policy/configuration managers. You give them permission to hook into the built in consumer and business level VPN capabilities built into iOS without giving them ability to MITM all the traffic on the device.

Mostly the apps give you tools to select the edge / country you want to connect to, whether you want DNS ad blocking, and a way to use App Store subscriptions to pay for VPN. They can also give you easy on/off 3D Touch or widgets, or show you dashboards of usage.

You can use an app to create a VPN profile then remove the app, it’s not needed. You can also load VPN profiles other ways, without an app.

Thanks for the explanation, and the link!

Just out of curiosity, how do businesses in China that have remote offices secure their communication? It must be hard without VPNs.

As far as I have been able to figure out and remember from my time in China...

Businesses are technically allowed to have VPNs. China still relies on foreign companies and a lot of Chinese companies rely on for example adwords to promote their business outside of CN. (this doesn't mean it's uncommon for CN to try to hack into these VPN tunnels, but the goal is not blocking access, and more about corporate espionage).

The Great Firewall also operates on a (customer) ISP level (rules and DPI varies per ISP and city) and not so much on outgoing traffic.

Most western companies rent fiber directly that is not affected by the GFW.

For example I know they could easily spot OpenVPN traffic and send RST packets to the host (also any DNS request with vpn is often send to a honeypot). IPsec had better chances of success (perhaps because that was less common?).

The VPN (and information control) targets mostly local Chinese. They don't care too much about tourists (collateral damage).

If the only way to get a VPN license is to have it attached to a business license, then control over entities with a VPN is a lot easier.

What they're presumably trying to prevent is anonymous VPNs (in that the client is unknown).

When I travel there I noticed that if I am roaming on the mobile network (with U.S. carrier SIM card but service provided via China Unicom), Facebook was accessible, do you know why?

You data is routed as phone network data to your U.S. carrier, who has the gateway to the internet. This is because mobile data protocols were originally not designed with the Internet in mind, but as a separate network. The internet gateways were added on later.

It's fine, the Chinese piracy apps will continue to support freedom of information. </snark>

The irony of that is alarming.

Now, if china makes them pull shadowsocks(R) clients from the apple/app/itunes store...then we'll know they are serious. Sorry for all the vpners in china on apple, at least you can go get a cheap android device in china and monkey around and patch together a mobile vpn based solution of some sort.


Perhaps someone should show Tim Cook.

ssh -D 12345 infidel@secret-server.com

Unfortunately, this method has been blocked years ago. Well, not blocked completely, but the speed slows down to zero (packet loss grows up to 100%) within a couple of minutes making it practically unusable.

Is normal SSH blocked too? How can they determine that the SSH is used as a tunnel?

It's possible to detect even if the packets can't be decrypted (there are commercially available solutions for corporate firewalls as well). This post gives some interesting insight into some of their blocking capabilities.[1]

[1] http://blog.zorinaq.com/my-experience-with-the-great-firewal...

Can anyone in China confirm if the solution in this article (padding the packets to random lengths) still works? I'm heading out to China later this year and it would be nice to have this as a backup if my VPN doesn't work.

It's trivial to detect SSH connections if you do deep packet inspection. Doing it for all connections and even on non-standard ports would require a significant amount of power however. That might not be a problem for the chinese government.

i can still download vpn clients from the us apple store from china, it's not a big deal, thus far, though annoying.

The assertion made on NPR this morning was that it was likely that the 'approved' VPN clients that remain on the App Store are likely to have backdoors to the state.

I have no knowledge on that, so if that's an absurd assertion, please feel free to let me know.

Can't find any NPR news on that except this old story that mentioned nothing related to backdoor or approved VPN:


Any links?

It was the radio Q&A segment. The speaker had a British accent, but I don't recall the name.

The VPN clients in the US app store have backdoors for Chinese access? This seems unlikely.

does stunnel over openvpn bypass the GFW ?

OKay. Make China North Korea. #MCNK

What is their alternative?

Ask Google[1].

1. Google complied with the China's censorship laws for a while, but since no good deed goes unpunished - they got hacked by China. Only afterwards did they decide to leave the Chinese market altogether and no longer censor their Chinese results. They do get blocked now, from time to time (or depending on keyword, I forget).

Asking for a friend?

China : "Jump!" Apple : "How high?"

This comment has no substance and is essentially flamebait.

Really? To me it sounds more like an abbreviated way to say:

"Despite their polished 'Designed in California' efforts to strike a tone that resonates with the affluent organic free-range eco-democratic westcoast set, when the rubber hits the road, Apple kowtows to authoritarian despots if the profits are 'iphone-scale'."

Does that also sound like flamebait to you? If so, then I suggest you introspect about where and why your fires burn.


I'm sorry you're taking it that way.

Did Apple cooperate with the FBI when they asked to help with the Pulse Club terrorist? No.

Every business has to follow local law. Same holds for Chinese companies doing business in the US.

Every business has to follow local law. Same held for companies doing business with South Africa under apartheid rule in the 1980s.

Pretending there isn't a moral dimension to it just because "it's business" is absurd.

> Every business has to follow local law.

To a degree. Every business has to follow the law of their head office and umbrella group. When local law is inconsistent with head office law, then a grey area is entered. If this grey area is not reconcilable, then head office wins and local office capitulates or shuts down if pushed to that extent.

So you'd have Apple do what? Fall on their sword and pull out of China? Or actually go to war against the Chinese government?

I don't know about you but I certainly respect Google a lot more for doing that

Didn't stop huawei pirating ios did it

All companies jump when the country they are in tells them too. At most we can complain during Apple share holder meetings of our displeasure for them to do business in a country whose activities we do not agree with. There are far greater transgressions happening in other countries than blocking VPN but where is the concern for sales within them?

Lastly, we don't have the right to tell China what is right for China. We can say we don't agree but similarly do we listen to China when they tell us what they don't like?

> ...do we listen to China when they tell us what they don't like?

If they have good points, yeah. Grading ideas based on the source is a good way to stay ignorant.

So shooting protesting students is ok then at some point a higher law (to quote William H. Seward) takes over

Only thing that concerns Apple is to make money. They don't have a moral ground on issues like these because they are a business.

Don't tell us you would say "no".

They absolutely stake out moral positions on issues like these all the time. The difference is they only do it in the West where rule of law prevails and they can actually exert influence.

They've done it with various anti-LGBT efforts that have taken place around the US, they've done it with the fight with the FBI and they're doing it right now in Australia [1], among others.

What they don't do is shoot themselves in the head in some misguided attempt at ideological purity.

[1] https://www.macrumors.com/2017/07/20/apple-talks-australian-...

> rule of law prevails

well, according to the post, they are actually complying with the law even now. The law might suck, but it's the law.

There's a big difference between "rule of law" and "rule by law"

Speak for yourself, dude.

I would say "no". Tons of us would say "no".

There are various things on this spectrum that any business can choose to do, or not do: use child labor, use political prison labor, dump toxic waste in public streams and rivers (after funding lobbyists to make it legal), etc.

Even simpler, they could just allow sideloading of apps so they don't have to be the gatekeeper defending China's interests.

You're absolutely right; there's a moral dimension there, too.

(And not just in China. For instance, Apple banned an app I used to keep rough tabs on how many civilians my democratically elected government was killing with drone strikes.)

Another hard 'no' here.

There's a even strong chance I'd actively hamper company operations surrounding the project, and bust out psychological warfare on management until fired.

Me too. The point about Apple is that they are abetting human rights violations. The Chinese treat their people like animals.

This is just crazy talk @ The Chinese treat their people like animals.

Millions lifted out of poverty. Nationalistic fervor. Chinese tourists traveling abroad (shows affluence.)

I'm no China apologist but we could do with less grandstanding overall.

>The Chinese treat their people like animals.

The Chinese are the People, that's the point. Socialism. That's the definition of socialism.

The way you phrase 'The Chinese treat their people' is what socialism exists to fight against... or that's the ideological angle...

You cannot confuse nation, nationality, and identity for mainland China. They're rolled into one, which is perfect for the current hegemony.

Actually those silly trainings that most of us have to do at companies of similar size about company culture say exactly that, that it is preferable to lose a business than do immoral stuff.

Of course no one takes them seriously, because the actual reality on the field is that nothing other than profits matter.

Sure I would. Chinese market is already dominated by Android. Only those with a lot of money can buy Apple and people with a lot of money have influence.

I would love to see the party trying to come up with an excuse for their VIPs and their angry daughters for an Apple block.

That is a misperception. You think Apple made so much money in China because only the rich but iPhones? Chinese people are willing to save/spend several months of their salary for the newest iPhone due to its status symbol.

If anything will add to the further downfall of Apple in China, it stripping functionality of the most popular mobile payment app in China. https://www.bloomberg.com/news/articles/2017-04-19/tencent-s...

So this is part of a Chinese Government strategy to get Apple out of the market?

Even more reasons to not do it. If Chinese Government decided they want you out, you will be out. Why not take some advertisement with them for the rest of the world? They surely knew how that works with the FBI problem.

Oh, I see, they only take on "moral" issues when it comes to the US elections?

Companies like Apple, Google, and Facebook can sway the world right into totalitarianism via their support of censorship and disregard for basic human rights. If these companies do side with the least common denominator, where does that leave the rest of us?

Google does not censor search results in China and consequently remains largely blocked there to this day.

what would be the option? Leaving the Chinese market, having iPhones be pulled from the market and the AppStore blocked by the Great Firewall?

Even without VPN clients, iPhones still provide superior client-side security to a lot of other phones out there.

"Where we're going, you'll need no VPN!" (spoiler: it's an internment camp)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact