How do VPN ad blockers work? Like do you need to add a trusted CA to your device and the VPN MITMs all of your traffic? I’m not sure I’d have that level of trust in my VPN provider…
Often, VPN blockers operate by simply rewriting DNS requests. They can also simulate DoH servers being down by blocking traffic to them (for scummy apps that bypass the system DNS) or mess with unencrypted content. DNS being an unencrypted protocol helps them block HTTP(S) connections even with technologies such as ESNI/ECH. Without ECH, simple SNI sniffing may also be a way to block connections that made their way past the DNS filter, though there's no reason for scummy ad libraries to use real domain names for their certificates; there's always a risk of spoofing.
Note that the VPN API is just the API of choice to be allowed to mess with network packets. There's no firewall API or network level driver that can do so in any other capacity. In almost all cases, there is no cloud server. Blokada uses some kind of cloud server, probably as a way to bypass Google's restrictions, but other apps work fine without it.
Some blocking apps work with custom, usually locally-generated, CA certificates to intercept HTTPS traffic. They're very spotty at best and very uncommon in my experience. Since Android 7, apps need to manually opt in to using user certificates from the CA store and most of them don't; in fact, most of them seem to be moving towards certificate pinning, meaning that even system-trusted CA certificates (which you will need root access for to inject them yourself) don't pass the validation step. Such a VPN filter would throw TLS errors across all major applications and services, leaving only the browser and the very few apps that opted into user certificates working. Not a great user experience to say the least.
Note that the VPN API is just the API of choice to be allowed to mess with network packets. There's no firewall API or network level driver that can do so in any other capacity. In almost all cases, there is no cloud server. Blokada uses some kind of cloud server, probably as a way to bypass Google's restrictions, but other apps work fine without it.
Some blocking apps work with custom, usually locally-generated, CA certificates to intercept HTTPS traffic. They're very spotty at best and very uncommon in my experience. Since Android 7, apps need to manually opt in to using user certificates from the CA store and most of them don't; in fact, most of them seem to be moving towards certificate pinning, meaning that even system-trusted CA certificates (which you will need root access for to inject them yourself) don't pass the validation step. Such a VPN filter would throw TLS errors across all major applications and services, leaving only the browser and the very few apps that opted into user certificates working. Not a great user experience to say the least.