So is this app using some other protocols that aren't DNS/http(s) that would make it immune to a dns level block? Because a native app that makes http calls is just as easy to block as a pwa
The app uses the same technology as some trojans: it connects to different pseudorandomly-generated domain names under Cloudflare protection, changing at least several times per day.
The client still needs to receive those domains somehow though, and that's the tricky bit. Unless the domains are unique per user, the blocker can just install the app and block the domains as they change.
You can embed the domains in the app, obfuscated. It's not foolproof but as long as they can't crack it in the few days that are left until the election...
Not really. You can use whatever you like, the possibilities are endless. AFAIU, the most straightforward approach would be to use Android / IOS push notifications (which can't be easily blocked) to regularly push a constantly changing (to avoid censorship) URL of your backend API servers to the mobile apps.
Unless those urls are unique per user, then the response to that is for the blocker (Russia in this case) to install the app and block the URLs as they change
They don't have to be strictly unique per user. You can send out different sets of URLs to different cohorts of users, then correlate new URL blockings with client IDs to detect rogue app installations and excommunicate them. Telegram did that when Russia tried (unsuccessfully) block it.
Given this is an app for tacical voting over a 2 day period (which has now passed) all the adversary needs to do is block it for a couple of days. Dns blocking cloudflare for 2 days would pretty much stop this in it's tracks.
(You are right about not requiring completely unique urls per user by the way).
No, it (again) doesn't work like this at all. 1) DNS blocking of cloudflare is useless, you can receive IPs, or names in non-cloudflare zones, 2) IP blocking of the whole cloudflare will bring so much collateral damage (unrelated services going down) that it's a non-starter, politically speaking, 3) cloudflare is far from the only mass frontend / cdn available, there are hundreds high-collateral services out there.
Sorry I misunderstood the fact that you were talking about sending IPs and not randomly generated dns name from cloudflare. My question was does this app use use a custom protocal, and I'd define a pseudo random IP provider over push notifications to be a cudtom prptovol.
This is a nation state suppressing information, I don't see why wholesale blocking services like cloudflare or any of the other possible options would be a non-starter, given it only needs to last for a weekend. There also doesn't appear to be any evidence that this app uses any of these techniques either as far as ive sedn.