Planning (and not yet success) on avoiding being monitored by the H K “Le@ve_H0me_$afe” app

Background

H K gov is planning to have all people using an app “Le@ve_H0me_$afe” (this is trying to fool the search engine, hopefully it work for now) under the name of tracking COVID spread.

According to the claim of HK gov, the data are supposed to be stored only in local device, secured with encryption and removed after 31 days.

(Original link and web archive link below — future historian can fact check if the news would stay in the gov site the same as when it’s being archived)

On the other hand, another group blog about the app proven the claims are, in my words: “Close to truth, but not 100% accurate” (my definition of “close” is > 50%)

For detail, please see blog from:

What I want to do

Given I have my own VPN server, so it might work IF:

  1. the App is on the device that always connect to VPN server
  2. identify the traffic it requested
  3. at VPN server block the traffic I don’t like

The App is on the device that always connect to VPN server

While using iOS, I can only trust the network configuration to have all traffic using the VPN.

One might want to set the DNS record to trustworthy DNS server (like Cloudflare 1.1.1.1, Google 8.8.8.8)

Most likely the default DNS your ISP provided is fully under their control, meaning if ISP is forced to not resolve some hostname (e.g. hk___chr0nicles.c0m ← you know it if you are from H K) to IP address, you cannot easily access the site.

Outline client on iOS, on the other hand, seems not yet actively using DNS over HTTPS/TLS (DoH, DoT), and I have no idea how to tamper with the VPN profile so I give it up for now.

Identify the traffic it requested

The tools I considered to use was firstly Postman Proxy, which in NO LUCK it work.

So I fall back to one of my older tools — Fiddler

Howto:

Example of intercept of traffic

From the screen above, the headers would give some insight of the User-Agent and thus the app’s name

Side discovery — Outline client VPN profile and HTTP proxy settings in iOS

I discovered connecting to Outline client VPN would disrespect the HTTP proxy settings in iOS, so that imply if I want the traffic to go through VPN while discovering what traffic the apps trying to make, I have to stop VPN in mobile device and enable Outline VPN in the PC installed Fiddler (by default Fiddler respect the proxy in system — which is the Outline VPN)

At VPN server block the traffic I don’t like (not yet success)

This is the unresolved part, as I am not expert in security, even Outline is completely open source, I am not considering to tamper it, there is feature request — https://github.com/Jigsaw-Code/outline-client/issues/887 (which was initiated from: https://github.com/Jigsaw-Code/outline-client/issues/8)

Alternatively, seems V2Ray already have that feature, but I am too lazy to try yet.

One last resort might be on Firewall level to reject outgoing traffic, but given most firewall are limiting using IP address, so this might be a bit uneasy (some people suggested cron job to schedule a domain resolve to IP then add to IPTable…)

Conclusion

Um…the most important step is not able to resolve yet, to be continued…