Privacy and security are increasingly becoming a concern among average smartphone and computer users. Even if you have nothing to hide and aren’t doing anything illegal, the things you do can still be used to take advantage of or manipulate you. That’s the whole point of collecting data for advertisements; targeting people who may be susceptible to buying certain things. That kind of manipulation doesn’t have to stop at convincing you to buy things and it doesn’t have to stop at the company that’s doing the data collection.
How do you know who’s collecting data on you?
You probably don’t, but there are some ways to get a clue. Personally, I’ve got a Pi-hole DNS server on my network so that everything connected to my WiFi router uses that to resolve the external websites that my devices want to connect to. By using my own DNS server there, I can see which devices are trying to access which servers. I can also block the ones I don’t want collecting data or sending me content. That kind of set up is pretty awesome, but it requires building a cheap little Raspberry Pi server or a Virtual Machine of your choice. More information about Pi-Hole. Normally, by default, all of your internet connections are resolved by your internet service provider’s DNS server. That means your ISP can see all of that information and maybe they’ll use it to sell advertisements or something else.
Mind you, the DNS queries we’re talking about are not necessarily representative of actual internet traffic. Apps or operating systems could be hardcoded to connect directly to external internet protocol addresses or they could be hardcoded to circumvent your DNS server or they could encrypt their DNS queries themselves. In most cases, everything is going to use regular DNS queries though.
My Pi-Hole server doesn’t work when I’m not on my WiFi network and instead am using my phone’s data connection over LTE or 5G or whatever. In that case, my cell phone carrier’s DNS server is the thing that sees all of the other server names that my phone is connecting to. Unless, of course, I also create a VPN to my internal network and then route all of my phone’s traffic through that (which I did), but this is getting pretty complicated for a normal person, and there’s an easier way.
Especially on Android
Android is a bit more open than iOS, so it’s easier to get more freedom-friendly software for it. On the down-side, it’s also much easier for phone makers to build privacy violating tracking software into their versions of the operating system. I mean, Google does it, but so can lots of other companies who make Android smartphones.
Download Personal DNS Filter for Android
There are a number of DNS filter programs available for Android, but I’m going to recommend an open-source one called Personal DNS Filter because open-source software tends to be more trustworthy for the main reason being that you (or anybody) can actually look at the source code and verify that it does what it says it does.
Once you start Personal DNS Filter, a log at the bottom will appear listing all of the internet hostnames that your phone is trying to connect to as they happen. The green ones are allowed and the red ones are blocked. If you read them, you’ll see most are recognizable names. The Office365.com one is my work email, the outlook.com one is my Hotmail account, etc.
If you tap and hold on one of the internet hostnames listed in the log, “Add filter” and “Remove filter” buttons will appear. Tapping “Add filter” will add the selected hostname to your personal blocklist, while tapping “Remove filter” will unblock it. This way, if you see your phone connecting to something you don’t trust, you can block it for the future.
By default, PersonalDNSFilter is going to use your network’s regular DNS server. That means whatever you don’t block within the app will still go to your regular internet provider. If you tap the DNS field in the app, you can turn on “Disable DNS server discovery” which will make your phone use the DNS server listed in that configuration window. By default, there are a good number of them already listed. You can add ones you like and you can prioritize DNS servers that support DNS over HTTPS (DoH) or DNS over TLS (DoT) if you want your upstream DNS queries encrypted for even more privacy.
In the Advanced Settings > Configure filter update section, you can see the default real-time block lists that are already added, but you can also add your own block lists or other block lists from the internet. These are the same type of text file listings that Pi-Hole uses and there are many to choose from on the internet.
In Advanced settings > Configure additional hosts, you’ll see a list of all the server hostnames that you’ve blocked. You can manually type or copy/paste others into this list as well, and you can do the same for the “allow” list. This listing also supports the asterisk (*) wildcard character so you can block everything under the facebook.com domain like so “*.facebook.com” Or you could block everything and then edit the allow list to only allow connections to very specific servers. That would be useful if you have a very limited data plan on your cell phone, but maybe you still want to get emails from a couple of accounts… simply white list the email server names you want to use.
This app uses Android VPN APIs to route all of your phone’s internet traffic to itself. That way the things you block don’t use up your data plan. If you’re going to use this all the time, remember to check your phone’s battery restriction settings and remove all restrictions in order to keep your operating system from shutting it down.
On iOS it’s not so easy
With iOS, there isn’t an easy way to install a local DNS server and you can’t even change the DNS server on cellular connections. You can change the DNS server on your own WiFi connections though. So, at home, you can change where your DNS queries go and point them to your own internal DNS server as I do with a Pi-Hole.
There is an app called DNS Safety for iOS which might do something similar, but there are a number of significant limitations. You’ll have to switch your phone to supervised mode (which hard resets it), you’ll have to use Apple Configurator on a Mac in order to install a configuration profile, and you’ll have to use Test Flight for the software in the Apple Store.
On Android, it’s super easy to see all of the external internet servers that your phone is trying to connect to in real-time. Even if you don’t really care about privacy or security, it might be nice to just take a look in the interest of transparency or curiosity. And if you see that your phone is doing something suspicious, maybe you’ll want to do something about it.