iPhone + Global HTTP Proxy support + Covenant Eyes = Completely monitored iPhone?

  • 3
  • Question
  • Updated 4 years ago
  • Answered
Now that iOS6 is out, it looks like they've released a way to globally support HTTP Proxy:

https://discussions.apple.com/thread/...

Is there any plans to utilize this functionality so that I don't need to jailbreak my phone to get Covenant Eyes to be my default browser and add the capabilities I need?

Thanks.
JB
Photo of James Vanderdean

James Vanderdean

  • 2 Posts
  • 0 Reply Likes

Posted 7 years ago

  • 3
Photo of Dave Caswell

Dave Caswell, Developer

  • 120 Posts
  • 14 Reply Likes
@JB

Great question!

We have looked into this at length only to find that it does not provide us with a viable solution for providing our service at the device level.
Photo of James Vanderdean

James Vanderdean

  • 2 Posts
  • 0 Reply Likes
Hi Dave,

I'm a developer myself and you've sparked my curiosity. What challenges have you guys run into?

JV
Photo of Dave Caswell

Dave Caswell, Developer

  • 120 Posts
  • 14 Reply Likes
The deal breaker for us was the inability to enforce that the device use the proxy. Without this ability, we end up with a solution where monitoring is easily switched off with no notification.
Photo of aggieben

aggieben

  • 58 Posts
  • 8 Reply Likes
I think this is silly. It would be far better to have an option that users can actually use, rather than just saying "well, the technically-savvy could work around it, so we're just going to not try". Besides, even the technically-savvy (like myself) couldn't do anything about it without tethering the device to the supervising computer and removing the configuration profile. That would be a huge benefit to me.

CE has been very successful for me on my other computers, and this one issue is absolutely killing me, and you're leaving some of us more vulnerable than we have to be for what seems to me to be an "all-or-nothing" kind of approach.

Something is better than nothing.
Photo of Patrick Smith

Patrick Smith, Alum

  • 147 Posts
  • 21 Reply Likes
In fairness, aggieben, we've created a solution that is working for over 10,000 members. To say that we've made this an all-or-nothing proposition and chosen nothing isn't an accurate portrayal.

We're keenly aware of the shortcomings and frustrations surrounding our current iOS solution. Conversely, it's important that you're aware, we're working diligently to vet out other potential iOS solutions. We intend to pursue the most promising of them as rapidly as possible. Meanwhile, though, there is a viable--albeit very restrictive solution available. We presently have thousands of members willing to live within these restrictions to ensure vibrant accountability. Is it ideal? No. Is it the best option on the market presently? I think so. Are we satisfied to leave it at that? Definitely not.

I know it's difficult to know this from outside the walls of CE, but we care deeply about our members and their online integrity. We take our work very seriously because we believe it is intrinsically and eternally valuable. As the project manager for our mobile solutions, I can assure you that all available development resources are engaged on developing a more transcendent solution for both iOS and Android. I look forward to the day when I can announce something similar to what's been proposed here. Until then, I hope you'll make use of the accountability service that is presently available--even if it means device restrictions.
Photo of aggieben

aggieben

  • 58 Posts
  • 8 Reply Likes
Patrick, I appreciate the response, but I just have a hard time with your position on this. I don't doubt your concern for your members' online integrity.

However, your approach to the problem requires users to sabotage a large subset of the usability - for example, the recommended configuration renders every clickable link in every app broken - of their devices in order to "enforce" the monitoring, but in reality, the restrictions required to make the CE app practical are no more enforceable than a configuration profile with the global proxy set up. All it takes is the pin code to go in and turn off all the restrictions and then the CE app is utterly useless. Conversely, the global proxy configuration would cover every app on the device, and could be protected in the same way as an app and just as easily installed: the configuration profile could be hosted online or emailed or whatever. An accountability partner with an unrestricted device could install the profile and then protect the configuration with a code. I have yet to see any argument explaining how this wouldn't actually be way better than the CE app in every respect, not to mention your cost of development.

Moreover, this solution could be device-independent (suddenly you can support every device for which you can't hire a dev), and I suspect you already have 99% of the infrastructure in place to do it because the desktop app has to work the same way - it's submitting requests to a server that scores them. Setting up an http proxy to do essentially the same thing should be a very straightforward, direct translation of all the work you've already done.

Please enlighten me if I've missed some really good reason why the above isn't so, but I remain frustrated because I don't think the reasons for declining this request are well-reasoned or even well-informed.
Photo of Patrick Smith

Patrick Smith, Alum

  • 147 Posts
  • 21 Reply Likes
The approach referenced in this thread is among several being considered. As I mentioned earlier, our intent is to pursue the most viable among them.
Photo of Ggreg Anderson

Ggreg Anderson

  • 2 Posts
  • 0 Reply Likes
Patrick, can you let us know what the other options being considered are?
Photo of Patrick Smith

Patrick Smith, Alum

  • 147 Posts
  • 21 Reply Likes
I cannot presently, Greg, but hopefully we'll be in a position in the relatively near future that the work/solution will speak for itself.
Photo of Daniel James

Daniel James

  • 2 Posts
  • 0 Reply Likes
You CAN install a configuration profile in such a way that it can only be modified/removed with a passcode, thereby ensuring the ability to "enforce" usage at the system level.

Granted, you still have upkeep of proxy servers for all CE users, and they don't want to become an ISP.

Might a better solution be to install a passcode-protected configuration profile that enforces *DNS* settings? You could then monitor traffic at the system level, and only need to maintain a primary and secondary DNS server, rather than actually become the pipeline for all internet traffic for all CE users.
Photo of James Lovallo

James Lovallo

  • 5 Posts
  • 1 Reply Like
Can't you use password-protected, encrypted configuration profiles to enforce global http proxy use?
Photo of aggieben

aggieben

  • 58 Posts
  • 8 Reply Likes
Yep! This should be very straightforward to set up, and it would be an actual solution to the problem.
Photo of Ggreg Anderson

Ggreg Anderson

  • 2 Posts
  • 0 Reply Likes
James, as I understand it (and if I'm wrong, please somebody correct me) this might be difficult for CE because it would basically require CE to host a server for all CE member's iOS clients (devices) and would need to (at least just for HTML routes and not the data itself) be routed through their servers. This would work fine till 10,000 html requests bog down their servers or their server crashed making all iOS devices unable to get online till CE's server is back online. There's a lot of liability on their end. Also, CE would have a high level of control on your device which opens a whole other can of worms.

But this I am excited about if it worked as the CE iOS app has a lot of limitations in it.

The biggest benefit of a service like that (don't read on if you don't want to be tempted) is I can't tell you how many other apps I've had to delete because they have a built-in web browser (which is obviously unfiltered) as some side function of the app like the help function. There would be a ton of apps I would reinstall if there was a way of monitoring global. http activity.
Photo of jameschao

jameschao

  • 1 Post
  • 1 Reply Like
Hi Dave Caswell/Covenant Eyes folks,

Just wondering if there is any follow up to this based on James L.'s last comment?

I'm not familiar with the technical aspects of iOS configuration profiles, but this would really be a GREAT improvement over the current approach, which really locks down the entire system to prevent app updates/installs...which unnecessarily cripples what makes the device so useful. Practically speaking, there are so many apps that have built-in browser too, so the current approach has loopholes as well. So, I'd totally be behind such an effort to have better system-wide monitoring..

Thanks for the good work.

James
Photo of aggieben

aggieben

  • 58 Posts
  • 8 Reply Likes
Completely agree. The CE browser + restrictions is not practical at all. You might as well not have a smartphone at that point.
Photo of aggieben

aggieben

  • 58 Posts
  • 8 Reply Likes
I think absolutely you guys should be taking advantage of this. Here are the alternatives: zero accountability on my phone (and the CE browser is a joke because the restrictions that would have to be in place to make it viable as an accountability option are not practical, and the browser itself is terrible), or accountability that would require a non-trivial level of effort to work around it.

I think the latter is leaps and bounds better than the former. Please, please, please set up a proxy. I've even considered switching to Android because of this issue.
Photo of Ggreg Anderson

Ggreg Anderson

  • 2 Posts
  • 0 Reply Likes
aggieben, I'm just a user but read my comments above. Personally, I lock everything down when I'm on business away from my wife (she unlocks it when I get home). I have deleted a ton of apps because they have a built-in browser just like you said. I put up with the browser because I haven't found a better solution and CE provides the best. It's not ideal having an iPad I paid so much money for and with apps I can't use to get my money's worth out of it but it beats being addicted to porn.

As far as Android - that's a nightmare. As a coder myself, there's an overwhelming amount of workarounds to a point I don't know if I'lll ever own one.

The best alternative that you or I have right now is (which is what I'm working on) to create a server that only an accountability partner has access to and set up an MDM on there and then route the traffic through CE. Hardly a simple solution but a solution nonetheless.
Photo of aggieben

aggieben

  • 58 Posts
  • 8 Reply Likes
@Greg I've been considering that very thing. Just not sure how to host the proxy.
Photo of James Lovallo

James Lovallo

  • 5 Posts
  • 1 Reply Like
Squidman for Mac + K9 is a fast & free solution. Feel free to email me with questions. lovallo.james@gmail.com
Photo of James Lovallo

James Lovallo

  • 5 Posts
  • 1 Reply Like
Just an update, my current configuration relies on a physically-secured home server (just an old university surplus store rig running Ubuntu, nothing fancy) running privoxy and dansguardian to provide the filtering. Then the device is supervised with the global proxy to lock it into that server.. IMO this provides a much more flexible solution than Apple's default blacklists in iOS 7. Since the configuration profile is backed up in iCloud, the only way out of it is to erase and set the iPhone/iPad up as a new device.
(Edited)
Photo of Annyong

Annyong

  • 1 Post
  • 0 Reply Likes
I'd like to throw my hat into the ring of people suggesting some degree of system-wide accountability is inherently better than nothing. The reasoning for not implementing this is ridiculous considering there are any number of loopholes around CE for iOS anyway.

Please do right by your customers and implement this.
Photo of Joshua Smith

Joshua Smith

  • 4 Posts
  • 0 Reply Likes
I agree that proxy would be ideal, however:

"Global HTTP proxy is a feature that can only be applied to iOS 6 Configurator Supervised devices. To know more about apple configurator supervised devices, refer to: http://www.apple.com/education/resour.... By imposing this profile on the users mobile devices, you can ensure that the internet connectivity is always re-directed through one proxy. This provides data security since all personal and business communication is filtered through the Global HTTP proxy." (http://www.manageengine.com/products/...)

In short, each iOS device would have to be enrolled in an "enterprise" managed service through CE, which may prevent the device from being enrolled in a work enterprise. I can see how on the surface, this might be ok, but digging into the practical implementation of enterprise enrollment, this isn't a viable solution
Photo of aggieben

aggieben

  • 58 Posts
  • 8 Reply Likes
This isn't correct. You don't have to be registered with an enterprise MDM to supervise a device. It can be done via Apple Configurator, which any user can download and use from Windows or OSX.

It's probably more technical than most users can handle, but the ones that really care about this will manage it. I wouldn't be surprised if it could be scripted.
Photo of Joshua Smith

Joshua Smith

  • 4 Posts
  • 0 Reply Likes
Hmm, that doesn't solve the problem of it being controlled externally. I'm not sure how having users install the Apple Configurator is a good user experience. Maybe if it was offered as an option for those who wanted more thorough filtering. Now that I could see!
Photo of aggieben

aggieben

  • 58 Posts
  • 8 Reply Likes
If by "problem of being controlled externally" you mean situations in which the phone is already supervised, i.e., by one's employer, then that's not a technological problem that CE can solve. Setting up a proxy, distributing configuration profiles that users can use, and writing a how-to so users can properly monitor their devices *is*.
Photo of Scott Dahl

Scott Dahl

  • 4 Posts
  • 2 Reply Likes
Actually, you don't need to install Apple Configurator.  A user can be emailed a fully configured profile.  When they click on it from their iOS device, it will be installed without any further configuration.  The profile can also be password protected so the user CANNOT uninstall it without the password (which could be stored with CE and emailed out just like their current system for uninstalling).  I am currently running this exact setup using Umbrella by OpenDNS.  Everything is routed through their VPN and is completely enforceable (does run into a few issues when logging onto a starbucks wifi where you need to accept terms before they give you internet access...but for anything with a built in network it isn't a problem...just wifi ipads and such).  The only downside to my current setup is that I don't get the accountability emails and categorizing that CE provides.  In all honesty I would be willing to pay an extra couple bucks every month to use this feature with CE.

The current CE solution for iOS is completely unusable in my opinion because there are SO MANY apps out there with built in browsers.  There is no TRUE accountability with the current setup and I think what is being discussed in this thread (and others) is light-years ahead of the CE browser solution!
Photo of John

John, Official Rep

  • 439 Posts
  • 79 Reply Likes
Hey Guys, 

Just wanted to drop in and let you know that we are still hearing this feedback loud and clear. We really (stress the really part) appreciate all of the responses, ideas, and appropriately voiced frustrations (no fruit has been flung at our building yet!).

With that being said I would not be dropping by here if I did not have something to share with ya'll. 

We have been working on a device encompassing solution for Mobile (Android/iOS) for a while now. The best part is that early early tests are looking positive. No ETA on timeline. We strongly desire to make sure that we do it correctly.

I know there has been radio silence on this thread for a long time, maybe too long. To be honest there was not much to report until recently. We at Covenant Eyes are rarely satisfied with the way things are, and it is an extremely safe assumption that we are constantly working improvements to our services/software. 

Thanks again for the patience and passion that has come through clearly on this thread. Keep your ears open, hopefully we will have good news for you soon*. (Note: soon* does not implicitly mean any time frame, rather our combined hope that we can release an excellent product as quickly as possible) 

Also, as I have started to do in threads that seem to contain really cool people, here is a link to our available openings in case anybody is interested in joining our team.

http://www.covenanteyes.com/about-covenant-eyes/careers/

- John




Photo of Chance

Chance

  • 168 Posts
  • 22 Reply Likes
John,
This would be great.  As it is right now, my experience on the iPhone with CE has been pretty good; I have all I really need on the phone.  That being said, if you had a "device encompassing" solution for iPhone, that would be icing on the cake, and would allow me to install some apps that I've been wanting to install. 
Photo of Daniel James

Daniel James

  • 2 Posts
  • 0 Reply Likes
Thanks for the reply, John! If you ever get to where you're looking for help with a beta, would love to participate. 

Side-note: as an iOS dev, I took a look at your careers page with moderate interest, but it doesn't seem to be loading correctly at the moment (unless you simply have no openings). 
Photo of Alan Miller

Alan Miller

  • 8 Posts
  • 0 Reply Likes
Y'all need this approach: http://www.curbi.com/how-it-works/
Photo of John

John, Official Rep

  • 439 Posts
  • 79 Reply Likes
Hey Alan,

Yes. We do need to offer more on iOS. In that we are in perfect agreement. 

Currently we are working towards an even more complete solution, but there have been delays, unfortunately. (Even more complete than companies like Curbi & Netsanity)

The good news is that we are committed to the goal of accountability and integrity. Hopefully soon I will be able to post good news about what we are developing.

In the meantime, thanks for taking the time to post. 

I am curious. Have you used any other solution then Covenant Eyes for iOS? What was your best experience using them if you have?
Photo of Chance

Chance

  • 168 Posts
  • 22 Reply Likes
I've tried a few out, and probably the "best" in terms of iPhone coverage is Curbi.  I use it for the iPad, but I don't use it for the iPhone just because it does drain the battery a little more than I'd like (although I may try it again sometime).  It really only reports domains visited (i.e. twitter.com vs. twitter.com/conanobrien), and I don't know if that's an Apple thing or https vs http type thing.  It does have mechanisms in place that report when you uninstall the profile and when you turn the VPN off (it's auto-on VPN so you turn if "off" by changing the VPN from auto-on to manual).
Photo of John

John, Official Rep

  • 439 Posts
  • 79 Reply Likes
Thanks Chance,

What is the performance like on Curbi? You mentioned battery drain, does it also have any sort of web sluggishness to it?
Photo of Chance

Chance

  • 168 Posts
  • 22 Reply Likes
I haven't really noticed any sluggishness as far as internet speeds.  Sometimes when waking up my phone it doesn't connect to VPN instantly, but most of the times it's fine.  I don't believe they attach to things like iMessage or MMS...that would be a big concern of mine as far as performance.  I think I've even done the internet speed test and it seems normal.
Photo of John

John, Official Rep

  • 439 Posts
  • 79 Reply Likes
Interesting, thanks Chance.
Photo of aggieben

aggieben

  • 58 Posts
  • 8 Reply Likes
I'm excited to see movement on this.  I recall from another thread that y'all were pursuing something better hat required cooperation from Apple, so if you're finally getting traction on that, then kudos.  
Photo of James Lovallo

James Lovallo

  • 5 Posts
  • 1 Reply Like
I've been using Curbi for the last couple of weeks and I'm really happy with it.

Strengths
  • Easy Installation: I was up and running in about 10 minutes. No need for a supervised device.
  • Speed: The VPN is fast and reliable. I forget that it's on most of the time.
  • Security: As expected, the service works with every app on the phone, but without interfering with FaceTime or iMessage. It is nigh impossible to slip around it using a proxy.
  • Flexibility. It is possible to add as many 'rules' as you like, and the management app makes it really easy to manage categories and restrictions.. I have a 'bedtime' rule that covers my most vulnerable hours of the day (from 10 pm to 7:30 am) and a custom blacklist rule. I also keep the 'Installing Apps' restriction turned on to block third-party browsers that could circumvent the service.
Weaknesses
  • There is a 'panic button' type feature that can be activated by an accountability partner, but I would like it to be accessible to the user as well.
  • The service reports recently installed apps and most-visited websites, but Curbi is actually a lousy accountability system. Sometimes it includes innocuous background web activity like Google Ad Services as a most visited site. It is not a substitute for CE as an accountability service. Still, I would rather have effective filtering that blocks sites in the first place.
  • The profile can be removed by the user, but it will send an email alerting the accountability partner. Email is not timely enough for me; I would prefer it send an SMS, so I set up a simple IFTTT recipe using my accountability partner's account to text the titles of any emails they receive from Curbi to their phone.
(Edited)
Photo of John

John, Official Rep

  • 439 Posts
  • 79 Reply Likes
James,

That was quite the helpful review. Thanks for taking the time to share that with us. I will make sure it gets passed along to the rest of the team.
Photo of James Lovallo

James Lovallo

  • 5 Posts
  • 1 Reply Like
I forgot to mention, for what its worth they're using Squid 3.5 as a reverse proxy server to handle the filtering and logging. (Sometimes you get the default Squid error page on a blocked site.) Squid has really good caching and can share a cache with multiple users, which helps account for the speed of their service.
Photo of Alan Miller

Alan Miller

  • 8 Posts
  • 0 Reply Likes
I haven't used any solutions in this kind of application... but I have a lot of friends who have the need for a solution like covenant eyes and since they are already using CE on the desktop they want it on their mobile devices. I am also passionate about iOS and OS X and it has always bothered me that as far as iOS goes some of my friends have had to use other platforms even when they don't want to because they want to use Covenant Eyes. So I have always wanted y'all to be able to offer more (and/or for Apple to open even more for developers in this regard).

I just recently saw Curbi and thought again about. I first tried out a custom profile on my phone for an app that tracked app data usage (before Apple did that natively) on iOS 6 and at the time I wondered why device profiles couldn't be utilized by CE... so when I saw Curbi I instantly thought about all of that again.

Anyway thanks for your reply and for taking the time!!

God Bless.
(Edited)
Photo of John

John, Official Rep

  • 439 Posts
  • 79 Reply Likes
Thanks for responding. We really appreciate the time and energy our community puts into trying to be safe online =)

There have been historic reasons we chose not to use MDM and device profiles, primarily due to limitations in making them resilient to circumvention. That does not mean however that we aren't willing to consider them. We really to want to offer a better service on iOS, we just have not found the correct avenue to implement it yet.

Feel free to let us know if you have any further ideas.
Photo of John

John, Official Rep

  • 439 Posts
  • 79 Reply Likes
We have a couple of developers who are investigating (read as: trying really hard not to jump to conclusions) and think this looks promising

If this is what it looks like (and it might be) this will fundamentally change how Covenant Eyes interacts on iOS, and you can expect us to react and develop accordingly.

For right now, Covenant Eyes does not have an official reply (apart from my speculation) because we have been unable to confirm for ourselves yet.

*fingers crossed
Photo of aggieben

aggieben

  • 58 Posts
  • 8 Reply Likes
This would be great news if true.  I'd love to be able to rejoin the regular iOS web ecosystem and stop copy/pasting links.
Photo of Alan Miller

Alan Miller

  • 8 Posts
  • 0 Reply Likes
iOS 9 content blocker panel in Safari settings!

Photo of aggieben

aggieben

  • 58 Posts
  • 8 Reply Likes
Well, iOS9 Beta has been out long enough now, I think, for your developers to have formed opinions on its capabilities.  Is there anything you (@John) can share with us about that?  Will the new extensibility be suitable for CE to be more than just a browser?
Photo of John

John, Official Rep

  • 439 Posts
  • 79 Reply Likes
Hey

I can share (some) insights based on what we have learned.

The new functionality requires access to privileges/APIS that Apple grants based on an application process. We applied for the access as soon as the means to do so had become available, and as of a few days ago we were granted access. (awesome!)

What this means:

Filter API is probably a no go. The Filter APIs make specific reference to Managed Devices, not something we can control with regards to our customers.

The VPN/Tunnel API does look promising. At this point we are investigating how the API could hook up to our existing (and patented) Tunnel Monitoring Service. If all goes well (no promises) this means we could get basic traffic data from all apps on an iOS device. Realistically, the best accountability will likely recommend combining our Browser with this new technology, but the future of being able to use & be held accountable on your iOS device is looking pretty good. 

I'll have more info as it becomes available (including if & when we start beta testing)
Photo of aggieben

aggieben

  • 58 Posts
  • 8 Reply Likes
I'm not a filter user (just monitoring), but wouldn't it be useful to offer the Filtering service for users who know how to put their devices in a managed mode?  This kind of harkens back to the earlier discussion about provisioning profiles.

As far as the tunnel monitoring goes, does this mean that the monitoring service will function for all traffic, and not just from the CE browser?  For me, that is the holy grail (so please say yes...).
Photo of Alan Miller

Alan Miller

  • 8 Posts
  • 0 Reply Likes
I agree. Wouldn't it be possible to either have CE act as the managing organization or come up with some other creative way to use the managed device API for content filtering? This would definitely be a harder road to travel on but there must be a creative way around that limitation. If you can't use the filtering API is there anything that iOS 9 offers that you couldn't previously do? Just curious.
Photo of Paul Braoudakis

Paul Braoudakis

  • 3 Posts
  • 0 Reply Likes
Hey guys, I've just spent the past hour or so reading every post on this forum and I think there's something out there that you guys need to know about. I came across this by "accident" but it has been an absolute godsend. The company is called Pageclean (.com) and it works through VPN, HOWEVER, you install a profile on your device and have someone other than yourself (my wife, in my case) put in a password, and the profile CANNOT be removed. So, basically, all traffic is running through that filter, and you can't get around it. Pageclean has done an AWESOME job in blocking just about everything I need it to. Do they sometime block stuff I wish they wouldn't? Sure, but very rarely, and it's a SMALL price to pay for the benefits. This company is the best kept secret out there and has the best solution I've seen. I use CE for our computers and Pageclean for all our mobile devices and it's great. Not sure if this new development with iOS9 will make their thing obsolete, but man, it has been a godsend for the past year or so! Hope this helps someone!