I stumbled upon this and it seems like a decent concept but I’m just wondering if anyone has used it or knows more about it.
Works fine for me. I mainly installed it to block ads on apps like Medal.
TLDR; risks far outweigh the benefits. See bottom of response for recommendations.
Should you use it?
It works by setting up a proxy that intercepts HTTP requests from all applications
During the first run, Zen will prompt you to install a root certificate
Zen will be able to decrypt and analyze your entire traffic. And then it’ll encrypt what it allows before letting it leave/enter the device. This means even if you trust Zen, that one certificate is the only thing standing between your traffic staying encrypted. It gets compromised, you’re compromised.
Do not trust an app with your entire traffic, ever. Even if its not malicious there are going to be bugs, vulnerabilities, leaks, etc.
Moreover, something being open source does not mean its audited by people who know what they’re doing - neither for hidden malicious code or mistakes. I did not see any formal audits being mentioned in the readme.
https://grapheneos.org/faq#ad-blocking-apps
What can you use instead?
You should instead use ublock in the browser and system wide DNS blocking on your device. You can use an adblocking public DNS server (e.g. Mullvad) or setup pihole locally. You do not have to self host pihole, you can just set it up on your computer and use on that device only which would be the same thing as using Zen on that device.
Note that using a public, blocking DNS will block less domains because they have to make sure it does not break anything for anyone but it will make you less fingerprintable. OTOH, using a custom blocklist you can get the most out of blocking but you’re probably the only person blocking that specific subset of domains which will make you more fingerprintable. Take your poison.
What about content filtering on desktop/mobile apps DNS blocking cannot solve
DNS blocking merely stops the application from accessing certain domains. It won’t be able to block malicious content served from the same domain as the content you actually need (e.g. YouTube serves both ads and videos from the same domain so you can’t block their ads without blocking the video itself).
You should not install applications you don’t trust on your device and use them on the browser as much as you can or use and alternative FOSS frontend (e.g. Reddit, Discord, YouTube etc.)
But some applications might be circumventing system DNS
Yes, there’s nothing stopping an application from doing its own DNS resolution or using hardcoded static IPs. You should not run applications trying to be actively malicious in this way. Neither Zen, nor anything else will be able to protect you from untrusted code doing suspicious things on your machine.
Nice, thank you for the reply. That’s kind of how I was feeling about it but wasn’t sure if I was missing something about it that was highly regarded.
Interesting, but I already use the Portmaster, which do the same and more (also FOSS). It offers also an SPN (improved VPN) as option, it’s a paid service. Anyway it’s always good to use this and similar apps on the PC, in Mobile maybe InVizible Pro (F-Droid version please).
Haven’t heard until now
Looks like it probably replaces your VPN so, you probably shouldn’t use that.
