An app that effectively used steganography[1] would probably come the closest to being an "unblockable app". As long as they don't detect that communication is going on, they can't usually block it -- short of blocking everything, which is rarely practical for long.
Some other interesting reading is: [2], [3], and [4]
First, just because an adversary understands how a given steganography app works, or knows that it exists doesn't mean that they can detect the specific communication that's occurring, or will move to block that communication.
The canonical image hiding stego applications are a case in point, where the applications are widely distributed and understood, but in principle (if not in practice due to steganalysis[1]) one could know of their existence and how they work but still be unable to detect that covert communication through them was going on, nor be able to block that communication short of blocking all image posting.
Second, they need not be on any app store.
Third, any leaks about their existence, if they come at all, may come too late. As Napoleon said, it's not necessary to censor the news -- it's sufficient to delay it until it no longer matters.
No, but blocking it could piss off a large part of your population.
It all depends on how far you are willing to push the blocking and how much you are willing to disable so you can block anything.
Signal atm are using domain fronting. (iirc the app will soon test the network conditions before attempting to use domain fronting, but for now it checks the country code of your phone number)
It will open a HTTPS connection to google.com but after the connection is made sends a host request for something.appspot.com In order to block that you need to MITM the connection or block google.com (Not sure if DPI could be used to get the host header never really looked into it personally. I know that SNI Sends the host is part of the handshake so the webserver knows which cert to present you with. Could it be extracted, checked agasinst a list and then have the connection reset preventing connection? Dunno never played with it, but its an idea off the top of my head).
(Now for some mild rambling :-p)
Lets say you can't MITM/DPI s you can just block google then they would have to use another CDN, so you block that one too. How many you going to go though before your citizens get pissed off at you and do something?
But lets say you people really hated GMail anyway and put up with not having Google just so this message app was blocked (and the creators don't just change CDN's) then you just force your people to install your own Root Cert or they don't get any encrypted web traffic. Will people complain or just install the Cert and get their facebook back?
So people switch to using personal networks (bluetooth and WiFi hotspots when in a crowd of people) just jam Cell/2.4ghz/5ghz. Will people complain they can't use their phones?
And it just escalates to the point you need a Doctors note and a permission slip signed by your mum before you are allowed to make a phone call.
All the time who actually want to encrypt their messages use math they can do at a desk away from a computer or phone and just use whatever method the Goverment do allow / they can get away with (Standard SMS but who and when can be got from the telco's, dead drops, IRL meetings) but sacrifice their metadata in the process.
Nice description there. Google may not be pleased by this and be under pressure to revoke their access, but eventually they will make it clear that this shit doesn't fly. Nice workaround.
> The firewall searches for a bunch of bytes which identify a network connection as Tor. If these bytes are found the firewall initiates a scan of the host which is believed to be a bridge. In particular the scan is run by seemingly arbitrary Chinese computers which connect to the bridge and try to “speak Tor” to it. If this succeeds, the bridge is blocked.
With all the things GFW does I wonder if they have some secret conferences or industry journals related to the firewall's algorithms and infrastructure.
Don't see why not? In Jason scotts talk The Mysterious Mr Hokum [0] he talks about an owner of an early ISP who not long after selling it was found dead. Iirc During his time as owner he would often have regular meetings with FBI agents to basically discuss what was going on the net.
Problem was after he died his Was actually on the run on fruad charges. I think Jason presumes he set up the ISP as another scam but he started it at the perfect time and started actually making legit money instead. So (again trying to recall the talk from memory, I must actually watch it again as I enjoyed it) this isp owner was having meetings with the FBI about his ISP all the while the FBI also wanted him on fraud charges. So yeah if the FBI don't mind having chats with ISP's just to see what's going on, I wouldn't be at all surprised if China had meetings with their ISP's too. From what I have read I about the GFW it seems that it's infrastructure differs from isp to isp. Dunno if that's cause it's left to the ISP to implement or if The Gov issue "black boxes" to do the firewall work and it's just different versions of hardware / software depending on when the boxes were issued.
But yeah I do like the idea of a secret defcon but kinda in reverse that discuses the tricks and infrastructure and the bypasses they discovered in the past year but in order to better run the GFW. In my imaginary con they are all still getting drunk and hacking into the hotel signage for the shits and giggles of it though.
That same person developed ScrambleSuit[1], which is used as a pluggable transport to obfuscate traffic and prevent detection/active probing. Work is continuing to keep the GFW from being able to catch up [2][3].
Some other interesting reading is: [2], [3], and [4]
[1] - https://en.wikipedia.org/wiki/Steganography
[2] - https://en.wikipedia.org/wiki/Covert_channel
[3] - https://en.wikipedia.org/wiki/Traffic_analysis
[4] - https://en.wikipedia.org/wiki/Anonymous_remailer