13
Feb
unnamed (1)

A small change in Android 4.2.2 has left one of the biggest ad-blocking app on Android basically dead in the water. Adblock Plus is one of the web's most popular ad-blocking tools, and has been available for Android since November of last year. So, why has Google effectively killed it? Security issues.

Adblock Plus relies on the internet permission in Android to function, but it relies on a rather specific subset of that permission in order to work: the ability to automatically set a device's proxy server to 'localhost.' As is pointed out on a thread in the Android issues section of Google Code, this is a pretty serious security flaw. Allowing any app with the internet permission to change a device's proxy settings could lead to phishing abuse or compromised privacy.

What this means for Adblock, which automatically changes a device's proxy settings when activated, is a lot more work. If Adblock can't automatically set the proxy, that means the user will have to do so manually. Every time a connection is initiated. And for the average Adblock user, this probably means just not using the app anymore.

Adblock seems to be taking the news relatively well, though there's obviously some frustration. The company's lead developer had this to say:

This fix has made it impossible for Adblock Plus to automatically set the proxy for the current active connection. From a security perspective it makes sense but it has a significant, negative impact on everyone who uses our app. While in Android 2.x the proxy was globally configured for all connections, this changed with Android 4.x which requires to individually set a proxy for each Wi-Fi connection. In addition to that the proxy has to be set each time a user connects to a network and the process of changing those settings is not very user-friendly.

There is not much we can do right now except making the process as simple and as smooth of an experience for our users as possible. We hope for another update from Google with their next Android release to provide us with an appropriate API so that our app can work even better on non-rooted devices.

Given that only a very small subset of Android devices are even running Android 4.2.2 at this point (and it will likely remain that way a while yet), Adblock still has time to try to figure out a workaround to this problem. For now, the only solution the company is aware of is described here, though that's still a lot of taps that I'm guessing the average person won't want to bother with.

David Ruddock
David's phone is an HTC One. He is an avid writer, and enjoys playing devil's advocate in editorials, imparting a legal perspective on tech news, and reviewing the latest phones and gadgets. He also doesn't usually write such boring sentences.

  • Vgpclife

    I use AdFree on my Android instead. I'm guessing this change breaks that too, yes?

    • Pancake345

      Most likely not, AdFree modifies a hosts file which is why it requires root permissions.

    • http://lupine.cc/ Maciej Wilczyński

      Nope. AdFree modified your hosts file. It has nothing to do with proxy.

    • http://www.facebook.com/omacranger Logan Graham

      It shouldn't. Those which require root edit the host file of the device, which just reroutes those ads to nothing essentially. They don't use an active proxy like this one does.

    • fidju

      To my understanding, AdFree and AdAway do not block ads in the same manner as Adblock Plus. They add blacklisted addresses to the host file so that they are not downloaded.

    • http://katzmatt.com/ Matt Katzenberger

      I don't think it will affect AdFree. I use it on my Nexus 10 and haven't noticed ads coming back since the update.

      AdFree doesn't use a proxy, but rather blocks ads by domain (where as adblock filters *all* of your traffic through the app). I prefer AdFree anyway.

    • http://google.com/+derekross Derek Ross

      AdFree modifies your /etc/hosts file. You're fine. ABP ran a proxy. The difference here is ABP worked on non-rooted devices. Where as other solutions need root.

      • http://www.androidpolice.com/ Artem Russakovskii

        This is correct.

    • http://twitter.com/LucasNJohnson Lucas Johnson

      Hmm. I don't know what it could be, but i get the feeling that the other apps modify host files instead of proxies... I'm not sure where i got this information.

    • mgamerz

      Did anyone mention that adfree modifies the host file yet?

  • http://www.androidradar.de/ Leif

    Good news in my opinion. Apps shouldn't be free and the user has to decide if he pays with ads or with his money.

    • http://profiles.google.com/marcusleejh Marcus Lee

      Apps shouldn't be free? I think I know a couple of app devs who might disagree with you there...

      • JonJJon

        This. Pretty sure there have been several articles across the web stating that several "well known" devs make more money off their free apps than the equivalent "paid" version.

        • PhillipCun

          yeah but i think his point is that if Adblock doesn't work its better for the devs of free apps.

          • JonJJon

            True

        • mldi

          I believe he meant that you should either pay, or view ads as your form of payment.

      • Ygor Vaz

        He's saying that if you use app's that are free because they are ads supported (like the free version of angry birds) you shouldn't use Adblock because you woudn't be supporting the developers.
        BUT! This app also blocks ads that appear when browsing on any site, and in this case it is a bad thing, since it will give this app developer and its users some headaches to make it work.

        • Justin Winker

          How you describe it makes me think it's more like piracy to block ads from an app that's free (which I wouldn't disagree with). I do think that the developers have a right to their money for their work, so I don't think AdBlock should be an app available through Play (and Google is right to fix any security patch that fixes the issue).

    • http://twitter.com/IamPeePay Tomáš Petrík

      What does this have in common with setting a proxy?

    • omegavesko

      That's retarded. Not only do many apps not have a paid/ad-free version at all, there are many, many regions that Google has decided not to provide paid apps to.

      • esper256

        It's not a decision. It's a process of beating down legal hurdles to be able to provide the infrastructure to take customer money. And to pay developers. Every country has their own laws to abide by. And the penalties for messing up are severe, especially if you are a big target with big bank accounts.

        • Justin Swanson

          I am ignorant to these markets. Does the population (from these markets) have the ability to petition the government or whatever agency that controls the sales or availability of app sales? That would give the population the ability to fight for the right/ability to purchase apps, assuming they have the ability to fight...

          • esper256

            It's not a prohibition of sales. It's laws that must be followed to do sales legally. People act like it is just a switch that someone at Google needs to flip to go live in countries, and that they somehow are just choosing not to do so.

            I don't know about other countries, but for example in the US:

            For every seller of a good, you must provide a receipt that satisfies certain laws.

            Because Google Play gives app sales revenue to the developers, they must implement some kind of tax system. For example a complexity in the US is that certain non-profit organizations are tax-exempt and shouldn't pay sales taxes, so Google needs a way to differentiate between these organizations.

            The list goes on and on. And this is just for one country. Every country they light up they have to make sure they've nailed down all the regulatory requirements before going live. There's no reason to petition for anything because governments move as slow as molasses. Even though Google isn't bringing online countries at a rate that meets your approval, certainly they'll probably be operational faster than any petition or grass roots movement could ever provoke regulatory change.

          • omegavesko

            Actually, Google has a history of having downright retarded policies on this. I'll use my own country (Serbia) as an example. Google actually let us buy apps a couple of years ago, then denied it for absolutely no reason at all. It's obvious they can do something about it, they just don't care.

          • Justin Swanson

            I am not sure that they don't care, but it might be about priorities. NO OFFENSE, but they might have other, higher priority markets to get straight. I don't know their priority list, but I find it strange they would just yank paid apps without reason, never to return.

            Either way, that sucks and I know how it feels. When the Market first came to Korea, it was like that for the most part and it required us to use MarketEnabler/Access to get anything from it.

          • Justin Swanson

            Thanks for the awesome answer.

            I thought it had more do to do with regulations of the countries and all of the wickets that Google has to follow. The only example I am aware of is in South Korea (where I live) when the Android Market went live, the Korean Government has an agency that _must_ review _all_ games sold in Korea. Period. So most of the games were either free or not available (Thank you market enabler/access).

            Due to that, I think there was some debate as to Google or the developer should submit the app for review, not to mention all of the previously existing games in the Market prior to it going live in Korea (The SGS1 was the first *major* android phone here).

            I think at some point the mandate changed to mobile games being allowed, but I am not sure. I know most, if not, all games are available here now.

          • omegavesko

            It's more Google's fault than it is the government's usually. We can't petition the government for something if we have no idea what the issue is, or who is the cause of the issue.

      • mldi

        So if you're in a region where you can't buy it, you decide to make the developer suffer for it? If the app wasn't available at all in your region, you'd bitch even more. These devs need to get paid somehow, even in markets where the Play Store doesn't yet facilitate payments.

    • brkshr

      I would rather pay for apps than have to view ads or have the ads slow down my experience. So as long as the free apps have a paid app without ads I would be fine. However, most apps come free only, forcing us to deal with ads.

      • Goldenpins

        Im on the same boat. I never keep free apps after a trial run. I know some hate losing adblock plus on the browser side but at the same time Google has been pumping out great products. so i have no issues with ads in the browser..

      • AGWednesday

        Forcing is a strong word. You could just not download the app.

    • http://www.facebook.com/profile.php?id=100002461247771 Stefan Dumitrache

      how about your mind? should your mind be free?

  • TheFirstUniverseKing

    Ad-Free is a much better app anyway. Hopefully this change doesn't kill that app too.

    • SoWhy

      It shouldn't. Iirc, AdFree uses a different mechanism to block ads, i.e. by redirecting ad-server hostnames to localhost via the /etc/hosts file

    • John

      What makes it "much better"?

      • TheFirstUniverseKing

        There's no need for a notification in the notification bar .

        • mgamerz

          It also auto updates and the only time you ever know it did anything is when root permissions toast shows up.

      • omegavesko

        It just edits the hosts file. No need to have it constantly running. Also, didn't AB+ only work on Wi-Fi without root?

  • http://twitter.com/TheChrisGlass Chris Glass

    This makes perfect sense. Any app that could redirect traffic like that IS a security issue.

  • http://twitter.com/TeamAndIRC Justin Case

    This is great news, this was potentially a major security concern. Adblock should of notified google and pointed it out, instead of relying on a 'vulnerability' for it's application. I'm guessing they could set the proxy manually to achieve the same effect.

  • http://www.ScienceProUSA.com SciencePro

    Does this change affect apps that use the Host file to block ads?

    • omegavesko

      Nope. AdAway, AdFree etc. still work fine.

  • j n

    ever since this app ran up my data passed my limit i couldnt care less about this app.

    • omegavesko

      "I'm an idiot, therefore this app sucks."

      • http://www.facebook.com/profile.php?id=100000003999549 Mike Harris

        In his defense, he did use the phrase "couldn't care less" properly. Most people screw that up.

        • andy_o

          Negated by "passed" instead of "past".

  • HatesAds

    Not a big fan of AB+, but I'm assuming this will effect AdAway the same way. This, imo, is a major fuck up for Google.

    • fidju

      It won't effect AdAway at all. Doesn't work the same way as AB+

    • Mack

      This change doesn't effect AdAway at all, or Ad-Free for that matter.

      AdAway is what I use.

    • Matt Alexander

      Yeah, damn them for closing these gaping security holes

  • http://www.facebook.com/profile.php?id=100001895771232 Caio Tunes

    Since when this is the biggest app? Im happy with Adfree still

  • CuriousCursor

    AdAway all the waaaay. Well it needs root.

    • Ray

      I use AdAway as well. Will it face the same issue though or does it use a different method?

      • http://nileshgr.com/ Nilesh Govindrajan

        I don't know about AdWay, but I use AdFree which modifies hosts file and sets all ad sites to local host. And it needs root. Assuming that the same is done by AdWay, we won't be affected.

        • Ray

          I think you're right. AdAway does use a hosts file as well.

      • OmarioAmriky

        AdAway changes the host file. It basically changes the way the device connects to any network be it the internet, a local network, or some wifi router you have sitting in your drawer. AdAway is SYSTEM deep.The only way for Google to ruin AdAway is to change the way Android devices connect to networks or to remove the app from the Play Store, both of which are very unlikely to occur.
        At least that's how I understand it.

  • deltatux

    Ummm, why use an app when you can do it pretty easily by yourself? Just get a /system/etc/hosts file on XDA and just sideload it yourself. Google can't do anything lol.

    • omegavesko

      This requires root, and AdAway can do that anyway. AB+ is mainly used by non-root users.

    • http://www.facebook.com/profile.php?id=100000003999549 Mike Harris

      That's what I'm trying to understand. Android uses a hosts file just like Windows, so swapping it out with an ad-free one (as long as you have root access) is pretty simple. I use an app called Adfree to do it, but I could easily grab a hosts file myself and load it. Unless Google somehow changes how that works, I don't see how they can stop us from ad-blocking.

      • Anand Thakur

        A proxy based solution like AdBlock can be much smarter about what it blocks. With a host file, the only way to block or allow a request is by the host name of the server. A host file based solution can't do something like "block all requests for files named bannerad.jpg" whereas AdBlock can.

  • http://twitter.com/s99nj S. Ali

    Geez AP you don't even have a clue what people use on their phones anymore. Everyone with a rooted phone moved to open-source Ad-Away. Talk about link baiting.

    • http://www.facebook.com/profile.php?id=100000003999549 Mike Harris

      AB+ works with non-rooted phones, so your point is moot.

      But still, what makes you think you know what "everyone" with a rooted phone uses?

      • http://www.androidpolice.com/author/eric-ravenscraft/ Eric Ravenscraft

        Anecdotal evidence which, as we all know, is admissible in the Court of Internet.

      • http://www.facebook.com/vxbinaca Paul Henning

        Then they can either root or suffer with the ads.

        • GraveUypo

          hmm looking at the android version distribution pie chart i think most people won't have to worry for the next two years.

    • http://www.androidpolice.com/ Artem Russakovskii

      When did we ever mention ad-away or talk about people with rooted phones getting affected? The title specifically talks about Adblock Plus as this change affects Adblock Plus and the security flaw behind it.

  • Everton Strack

    Rom toolbox have a option to addblock, and this is working!

  • brkshr

    AdAway works better & is open source.

  • Owen Finn

    Did Google approve the app for their market? Did Google just make it so that the app could no longer work?

    LAAAAAAwsuit.

    • http://www.facebook.com/profile.php?id=100000003999549 Mike Harris

      "Approve?" I think you're confusing Google with Apple.

      Google makes changes all the time that cause apps to lose functionality. How many lawsuits have you seen so far?

    • mldi

      Are you kidding me?! How does that hold any merit? Ads are the main source of revenue for Android developers.

  • Julio M

    Google did not kill it, it's time for the app to evolve.

    • http://twitter.com/redbullcat Phil Oakley

      They indirectly affected it pretty majorly, though.

      • Julio M

        "indirectly", that's the word missing from the article.

    • http://www.facebook.com/vxbinaca Paul Henning

      Yes just like that *snaps fingers*.

      It's time for you to root.

  • http://www.twitter.com/RaptorHawk Hawk

    The Onavo Extend is also affected?

  • Christopher Bement

    Adblock hasn't worked for me on 4.2.1 at all. Sure, it blocks the ads, but it also causes network errors with facebook, youtube and a few other apps that stops refreshing streams or even playing youtube vids. Had to disable it to get shit to work, and AdAway isn't nearly as effective at stopping ads.

    • Doan

      "Adblock hasn't worked for me on 4.2.1 at all. Sure, it blocks the ads."

      You used a definitive statement that Adblock doesn't work, at all, then you mentioned that it partially works. It can't be both.

      • Christopher Bement

        If the ad blocking mechanism destroys the app's function, it doesn't work. I don't need you splitting my hairs for me, douchebag.

        • Doan

          If it blocks ads, you can't say it doesn't work at all. You sure aren't a very friendly one.

  • http://www.Nave360.com Sebastian Gorgon

    well that's it... i'm not updating.

    Edit:
    Apparently root solutions still work!

  • EMullins

    I think its cute that the Adblock guys think that Google is going to provide an API that may help them block ads.

    • esper256

      They already provide many such APIs in Chrome. You know. The web. Where they make most of their ad revenue from.

      • http://twitter.com/krismo5 krismo

        That API was given mostly by mistake, and they didn't take it back later. But up until then the adblockers were still blocking ads, just by hiding them as fast as possible.

      • http://www.greinr.com/ @ThomasGreiner

        1. Chrome extensions are not part of the web.

        2. Chrome on Android does not have extensions yet.

  • Danny Holyoake

    How about you stop relying on free stuff.

    I've had an Android device for over two years and don't think I've ever felt the need to use ad-blocking software.

    • mldi

      It's unreal you were downvoted more than upvoted.

      Good ghandi.

  • http://www.williamint.com William Aleman

    AdFree? anyone?

  • http://www.facebook.com/xethor Tarun Pemmaraju

    AdFree and AdAway will still work. I use AdAway purely because it looks infinitly better.

  • mgamerz

    Root ftw.

  • mgamerz

    While the security fix does kill adblock plus, I'd say the title is somewhat linkbaiting. "Google fixes security risk, adblock plus dies" would be have been less missleading.

  • Goldenpins

    deleted post

  • Prout

    Why not using standard things like vpn api?

  • mldi

    I say "good". If it's free, surely you can put up with a few ads in order to THANK the developer who put all that hard work into the software you are enjoying.

    C'mon guys. We wonder why Android doesn't monetize as well?

    • Garrett

      I'd rather pay the developer a few bucks than have to deal with in-app ads.

      • mldi

        Me too, but if there's no other choice I'm not about to go and deny them their "payment" if I use their stuff.

  • http://twitter.com/kev_martin Kev Martin

    Oh No! Poor Me! I may be exposed to an ad and heaven forbid might even one day BUY something from an ad and thereby pay a developer for his/her work. #sarcasm

  • TechGuy21

    adaway biatch :d

  • http://www.facebook.com/YAYSAVERGN Eric James Salcido

    AdAway and Adfree Android are what I use. Also ROM Toolbox PRO has an option to block hosts as well.

  • loop6719

    i miss the old internet..before corporate greed go their meat hooks into it. ABP has been my best friend for a long time now i wish i wish i wish

    • DavidHilbert

      "corporate greed" is the entire reason there is an internet. Go back to Siberia, comrade.

      • loop6719

        Wrong, you should read your history books. The internet existed long before, and did a fine job before corporations saw how they could monetize it. (Circa +-1998 )

        I know why ads exist, I am talking about all the useless flashing ads that adblock helps block on the pages of the 'real' internet page.All I am saying is that I would like a small choice in the matter, and my choice is to use ABP. Which in my opinion is more American then you care to know, but as long as we have people like you that continue to get dragged into the 'trough' of internet advertisements then they will continue to force feed us. Have a good day Comrade.

  • Ric Woods

    The steps were were easy enough and they also work fine on Nexus 7. THey need to mention that the wireless connection needs to be stopped and restarted to take effect.
    So thanks for that. Don't need no stinking API or app update.
    It's not as if I have to do it every time I boot the device, just once per new WAP I connect to.
    Less work than entering the security for the WLAN device.
    If your mama can't do it, do it for her. You need to talk to your mama anyway.

  • Paula

    Manually inputting settings works but the negative effects of this app are a big problem. Before update you could just untick filtering to quickly solve issues and use this app when you need it. Now filtering does not work had to disconnect internet and uninstall this app.

  • branden

    Meh. Custom roms baby.

  • Francisco

    DThese apps needs root permission to work. That means than the user have all the right privileges for do and on his or her device. For example if I've got my terminal without root permission I can'tuse of the blockers around the net. So i always are a way to bypass that security and use the device as the way you wanted to. Write this on my LG optimus 3d with Android 4.04 cream sandwich. OriThe maximum update for these device was to 2.3 gingerbread. This is just a, little example.

  • paulc

    Can't manually setup a local proxy, the "Save" button remains greyed out

  • http://www.allusefulinfo.com/ Raman Sharma

    Nice

  • Cristian Aska Malatesta

    I'm agree devs should be payed for their apps, if only ads were not intrusive, misleading, covering with notifications or fill 3/4 of the screen (phone/tablet's screens aren't big and sometime just tapping on X to close an ad is simply impossible, or if/when u can, it redirects somewhere else).
    If ads were less annoying, then everyone could be happier...

  • Jonathan Harmon

    Blinking ads give me seizures, they need to be banned.

    "ZOMG YOU WON! THIS R REAL! :D :D :D"

    *flash flash flash rave scene flash flash flash*

    *me suffering through pseudo seizure* (thank goodness for my meds)

    I don't think people would would give a rats patooty about ads if they were done properly. I've clicked many an ad because Z) it wasn't annoying, and Y) it actually pertained to my interests.

    • RiC David

      Yeah I have no problem with stationary/non flashing ads and if they actually made micro-ads instead of regular length video ads then I'd tolerate them but they're intrusive and obnoxious - not only are they long but they typically have loud noises, music in the background, abrasive voices or singing and this is the main reason I stopped watching television years ago - adverts just annoy the hell out of me with their loud, in your face, and irritating style.

      "Classic" ads, that is simple and direct ads where someone just pushes a product or service are fine with me but instead every single advert is some flashy over the top production usually with zany/unfunny comedic themes and a song playing throughout.

      The choice didn't have to be between ads or no ads, it could have been between bad, intrusive, obnoxious ads that don't respect the viewer and smart ads that reach a compromise so that more people allow them to be viewed. A lot of YouTubers miss out on a lot of revenue because of me and others who are the same way and they'll continue to because I won't accept these intelligence insulting commercials.

  • Matt Scheaffer

    This also applies to 4.1