Mobile devices: App Locking vs. Device-Wide Filtering

I get asked all the time: Why should I filter the smartphones in my home (or church)? Isn’t free app locking good enough?

Many are familiar with the Restrictions offered by iOS, and they are pretty good: probably the best of anything out there that comes pre-installed and ready to use. Then for the Android platform, there are scores of app lockers — some free, some paid — that are supposed to offer satisfactory protection for those who wish to make some areas of their phones inaccessible. How do these solutions stack up against our recommended pathway — that of sending all data traffic to and from a smartphone to a content filter for inspection?

In its first form, this post will be rather brusqe and to the point. I just want to get it out there once, because I’m tired of typing long email replies to the same question asked a hundred different ways! As I have time, I plan to either come back and edit this post, fleshing it out more; or will post an entirely new one. For now, here’s a quick summary.

App locking can be satisfactory if:

1. you can truly lock out all potentially undesirable content, per your personal wishes or group / corporate policy
2. the app locker can’t be easily bypassed

On #1 above, consider the following points:

• We’ve heard of objectionable content in place photos in Apple Maps
• Google Maps has a built-in browser
• Various other apps have built-in browsers, which can show up unexpectedly (your teenager will find these)
• Many free apps show ads, which may or may not be objectionable
• Weather apps often include uncensored photo and video content; anyone from the general public is free to upload what they please for others to view
• The iOS text messaging app has a sort of built-in “sticker store” that includes objectionable GIF images (animated pictures)
• and more, I just can’t think of everything off-hand

On point #2:

• AppLock or SmartAppLock or similar worked pretty well and protected itself against uninstall on most Android devices running versions older than 5.1. On newer devices, at least in my experience, these free app lockers just sort of fell apart. They’d annoyingly block the entire Settings app. Or they would work when they felt like it, which was probably most of the time but not all the time. Or it would be a walk in the park to uninstall them and get rid of protection.
• Built-in restrictions in iOS do a good job of protecting themselves against removal without the restrictions passcode.

Suppose we filter a device? The picture changes. For example:

• Ads are zapped from apps
• If the user / group wishes, we can zap the photos in Apple Maps while still allowing the mapping application to work
• The “backdoor” browsers, such as the one in Google Maps, are filtered
• It is possible to block user content in many popular weather apps, while still allowing the forecast to load
• It’s possible to block those silly GIFs in the iOS messaging app

All this is possible because the Internet traffic to and from the phone passes through a content filter. Rules on the filter (in our case, a Security Appliance) determine whether that traffic is allowed through or not. And on iOS and compatible Samsung (SAFE5+) devices, this protection is not easily bypassed.

To summarize:
A. Basic app locking can be satisfactory if you lock out all apps that access the internet for anything. This includes mapping and weather.

B. App locking behaves differently on different platforms. Built-in iOS restrictions are not easily bypassed; free Android app lockers may work reasonably well on some phones and be quite easily bypassed on others.

C. Every version of Android is different, every manufacturer’s spin of Android is different, and the whole thing is an ugly mess. Samsung devices are typically by far the best of any in the Android realm for control-ability.

D. The mobile landscape changes at a completely maddening pace. Being subject to the whims of a megacorp like Google, whose “don’t be evil” slogan has been long dead, buried, forgotten, and lustily trampled upon, is frustrating.

Google changed a setting in Nougat (Android version 7.0) that no longer allows apps other than the browsers to trust third-party SSL certificates. With this move, in the name of “safety,” the Greatest Snoop the world has ever known made it hard for anyone else to intercept traffic. Not that we ever intercepted traffic for data collection purposes, nor will we ever; but this means they have effectively disabled traffic inspection and content filtering for a broad range of apps (unless we want to de-compile and re-compile a bunch of apps), and it’s a decision on their part that has caused us major annoyance — and the need to change the way we handle Android. We are working feverishly on better Android solutions. I can not say right now what these are; when the time is right and we’re confident we have better things to offer, we’ll unveil them.