Yesterday was the first public release of the Guardian iOS Firewall app from the Sudo Security Group. My purpose here is to explain what it is and does, something both the company and the tech press have, so far, done a miserable job of.

Starting at the very beginning, the app is not a Firewall, at least not in any definition of the word I am familiar with. It is, instead, something relatively new to the scene - a Tracker Blocker. It exists as a VPN; as far as iOS is concerned it's just another VPN. But, it is a tracker blocker in VPN clothing.

What is a tracker? Anything that spies on you, either on your location or the things you do on your iOS device. In the old days, web browser cookies were abused to function as trackers, but things have gotten much worse on mobile devices. Assorted web browsers do both ad and tracker blocking, but that's fighting the last war. Tracking on iOS and Android is the current war.

A product like this is well overdue. If you care about privacy and use iOS, the Guardian app should be on your radar screen. As someone interested in Defensive Computing, it peaked my interest and I tested it, briefly, on the first day.

The Guardian app was implemented as a VPN so that the blocking of trackers is not done on the iOS device, it is done on the VPN server. A blog post from the company explains why they made this choice.

Kicking the Tires

On August 1, 2019 I tested the free version, not the paid edition. The first thing I noticed is that the app is sized for an iPhone rather than an iPad. No big deal.

A Guardian app Data Tracker Alert

Then I ran across a description of the free version as a "detection only firewall". WTF? I used the Feedback feature in the app to complain that these words had no meaning, at least not to me. Someone from Sudo Security responded the next day and explained that the free (a.k.a. lite) version reports on trackers but does not block them. The alerts in the free version function to prove the necessity of tracker blocking. Fair enough.

Personally, I did not need to be convinced, Defensive Computing and all that. What is misleading, however, is that the alerts in the free version (shown here at the right) do say that the trackers are "Blocked."
Update: I mentioned this to the company and they responded the same day. The Alerts are telling the truth. The free/lite version should say "Detected". That Trackers are being blocked for free is a result of the app having just gone live and the company still "adjusting servers." It won't last.

Still, ignoring the entire issue of tracking, the free VPN is a great thing in and of itself. As a rule, free VPNs are not to be trusted. My personal list of trustworthy VPNs offering anything for free was basically just ProtonVPN. From what I have seen and read, Sudo Security is also trustworthy. Two other free VPN providers that should be sufficiently trustworthy for most people are Windscribe and Tunnelbear. Hopefully, going forward, Sudo Security will be profitable enough to continue offering the free VPN service.

Speaking of profit, Tracker Blocking costs $100/year or $10/month (rounded up).

Putting the app in perspective, it does not block ads and it does not offer either a whitelist or a blacklist that you can manually adjust.

A Guardian app Location Tracker Alert

My brief test ran across Data Trackers and Location Trackers. A sample Location Tracker is shown at the right. I have read that it also detects Page Hijackers, though I am not sure exactly what those are.

Even though nothing was blocked, I found the Alerts quite useful. Unlike many people, my preferred router, the Pepwave Surf SOHO, is able to block access to domains. Thanks to Guardian, no devices on my home network will ever access adcel.vrvm.com again. At least they won't when they are not using a VPN or TOR. Scorecardrearch was already on my personal block list. Other trackers that the Guardian app discovered in my testing (t.appsflyer.com, events.appsflyer.com, ads.mopub.com) have also been banned from my home.

Seeing the many trackers, made me wonder how Sudo Security learned about them in the first place. The hard way, it turns out. Sudo did "continuous and exhaustive in-house research". They examined iOS apps using expertise few others possess.

Quoting from a March 2019 article by Glenn Fleishman: Strafach said Sudo has developed software that allows it to perform bulk analysis of App Store apps, and then identify the code in apps that generate network connections. Sudo can then determine how an app passes information and to what end. Network trackers try to evade detection by obfuscating and updating URLs, but Sudo’s ongoing analysis defeats those attempts ... 'We are aware of almost every active tracker that is in the App Store' said Strafach.

They examined hundreds of thousands of apps and the trackers embedded within them. While doing this research, Sudo exposures of bad behavior made news multiple times. For example, in September 2018, they published iOS App Location Data Monetization which revealed that many iOS apps had been covertly collecting precise location histories using code from data monetization firms. In many cases these apps were constantly leaking your location and other information.

A Tracker Blocker in VPN Clothing

Since the focus of the Guardian Firewall app is blocking trackers, it varies in a number of ways from other VPNs.

Normally a VPN assigns you new DNS servers, servers run by the VPN company. I tweeted last night that Sudo Security was using Google for DNS. This is easily discovered using any of the web pages listed on the Test Your DNS page on my RouterSecurity.org site. To anyone interested in privacy, Google is clearly a sub-optimal choice.

Will Strafach of Sudo Security responded that "... it is not a problem. remember, the origin IP address will show as that of the VPN node, not a user. that said, we understand that it is indeed a possible perception issue, so 1.1.1.1 will be the default for most". Indeed it was. The very next day, Aug 2nd, Guardian had switched to the more privacy oriented Cloudflare DNS servers. You can test this yourself at the Cloudflare tester page cloudflare-dns.com/help. Queries sent to Cloudflare by Guardian are not encrypted.

Strafach is correct that their DNS provider sees requests coming from their VPN servers rather than from their customers. But, playing devils advocate, if there are few people using a particular VPN server, someone might be able to trace DNS requests back to one of those users. Some VPN software shows you the resource utilization of the available VPN servers before you connect. In this case, customers wanting to hide, can chose a busy server which lets them hide in a bigger group than an under-utilized server. OK, I am over-analyzing.

To further nit-pick the point, Guardian does not seem to do anyting regarding WebRTC, a browser feature that can expose your public IP address even when using a VPN. WebRTC is a standard annoyance that all VPN providers are forced to address. Here is an example.

Another small point, is the VPN server name. In my testing, the server had a name that ended with sudosecuritygroup.com. Other VPNs try to hide the fact that they are being employed. Typically, they will make the VPN server name the same as its IP address.

On the upside, Guardian is an IKEv2 VPN. Support for IKEv2 is native to iOS. Far too many VPNs are married to OpenVPN, which is not natively supported on iOS. If IKEv2 is good enough for Apple, it is good enough for me. This also keeps the Guardian app relatively simple, as it does not have to re-invent the VPN wheel.

Another upside is that Sudo Security seems to have taken great pains to keep their VPN servers ignorant of your identity. There is no userid/password needed to access their VPN servers. According to the company, all the app provides is an indication of whether the client is a paid user or a freeloader. This can only go so far, as the VPN servers need to know your public IP address. And, not being an iOS developer, I don't know how much information Sudo Security is given by Apple, when someone purchases a license to use the system. But, as a rule, VPN providers know who their customers are, a big difference from TOR. That said, some VPN providers take cash, the ultimate trump card.

I am a frequent flier when it comes to VPNs and there is one attribute that is never discussed in any review. Unlike most people, I keep my devices off-line as much as possible. When they go-online, I often have to manually start the VPN. So, I prefer a VPN that automatically re-connects when a device goes on-line, and the Guardian Firewall VPN does so. Once you start it, you should be able to leave it running. Period.

Any VPN is going to incur a performance cost, as your data is routed to a VPN server, before continuing on to its ultimate destination. Nerds call this an extra hop. It is very unlikely that you will notice the minor decrease in speed.

Closing Thoughts

I have read that the Guardian Firewall is a unique product, but, there are other VPNs that also offer tracker blocking and run on Android too. And, offer ad blocking. Three that I am aware of are Perfect Privacy (see a review), Windscribe and Freedome from F-Secure. It's likely there are others too.

The March 2019 article mentioned that in the initial release the product was geared to a single device. I don't know if that is still true, as I only tested the free version on one iPad.

Finally, as a Defensive Computing guy, I hope the Guardian Firewall becomes immensely popular. It seems like a great way to strike back at the pervasive spying on mobile devices. Personally, I hardly ever use iOS, but the company wrote that the design of their app "allows easy portability to other platforms" so, hopefully, it will come to Android in the future. Then again, if it stands the test of time, it could be a reason to switch to iOS.