Block YouTube ads on AppleTV by decrypting and stripping ads from Profobuf
99 comments
·March 18, 2025abricq
I really like everything related to network-wide blocking of shitty online services that are enforced on us !
On top of blocking adds (which is great), I wish there were more / easier ways to do network-wide blocking of all sorts of aggressive infinite scrolling (in my case : youtube shorts and instagram reels).
I often like to go on instagram to see posts / stories from the people I follow and I don't want to be suggested stupid videos that are especially designed to catch my attention. I know it's probably revealing a lack of strength on my side, but yeah, I often fall for watching a few of them and loosing 15 minutes of my life.
duxup
> that are enforced on us !
You don’t have to use them and you could pay for them.
The users of the internet have made their call and they often don’t want to pay, so someone does.
As a whole the users of the internet are not rewarding anyone for NOT showing ads. We want our content and we want if for free generally.
_Algernon_
The problem is that advertisement business infects everything.
For instance, I could pay for Youtube Premium to ostensibly not be shown ads, but it doesn't change the fact that all the content[^1] in the ecosystem is still produced for maximizing watch time and/or being advertisement friendly.
I could pay for news, but that doesn't change the fact that the news is written to receive clicks from the non-paying users.
Paying for things does not help escaping the second order effects of advertisement.
[^1]: To a close approximation.
javcasas
You know who is the best target demographic for selling stuff? People with money.
So that's who you want to show ads to.
And do you know a proxy for "have money"? Paying for premium, when there is free.
Therefore, every time you pay for premium, all the advertisers look and say "I'd pay a lot to show ads to that guy". At some point, the premium service includes ads, because of so much potential extra revenue!
And that's why I don't pay for premium.
jnsie
Recently I've been annoyed with Youtube Premium. I pay for an ad-free experience and do not see ads in the traditional (wait 5 seconds to skip) way, yet more and more content has inline product promotion where time is spent thanking a sponsor and pitching their product. So I'm paying not to avoid ads, but I'm still seeing paid promotion...
Jgrubb
Every one of the streaming services that I paid extra to go ad free decided to push ads anyway.
duxup
And they got their subscriber still I guess….
As users of these services as a whole we reward this kinda thing and then are upset when it happens again.
I don’t like any of this situation but I also think the user’s choices incentivize it.
choo-t
Paying make it worse, paying doesn't prevent ads to be forced later (e.g: Netflix, Prime, Disney+) and split people fight against ad, as the ones with enough money to avoid them will berate the other for not paying, will still providing benefits to an ad-driven company.
Never pays to avoid ad, block them or get the content by other means. It's akin to "never negotiate with terrorists" or "never pay ransom", you have to remove the incentive.
abricq
I know that I, as a user, ultimately have 2 choices: to pay for a subscription, or the choice to not use these services.
Option (1) does not block infinite scrolling content, it only removes adds. So this is missing the point. All i want is to not see these dumb shorts videos that I genuinely give no fuck about, but that manages to catch my attention regardless.
Then sure, I can always delete my social accounts, and ultimately i might end up doing it. But let me try to explain why I think this is difficult, and also unfair.
I give 2 purposes to these social networks: First, they play a role in personal-life balance as a way to be more integrated in my group of friends / local communities. Second, they play a role as citizen of my region (in my case, France and switzerland) by being a (sorta reliable) source of information through following accounts and newspapper on them.
Initially, none of these social-networks came with this super-fast / addictive content. They only started to integrate it, in my experience, since 5 years. So it seems to me that these companies have broke the initial contract that they "sold" to us: to connect with our friends & communities and to allow us to follow a specific set of public influencers.
I guess that I am mad that we, as a society, have allowed these companies to gain such an important role in our daily lifes (social life and public life) that they can now say : we will allow you to interact with some of our friends, but you will also have to watch our stupid videos... And unfortunaltey, it's not easy at all to spin up a concurrent social networks that would be full-filling this initial contract. Probably lots of people actually like to scroll on insta Reels and youtube Shorts.
fumeux_fume
> I know it's probably revealing a lack of strength on my side...
I think these tactics exploit our natural sense of curiosity and the aesthetics that surround it. So I don't think it's so much a lack of strength, but more of a jadedness we have build up and I think that's pretty bad. I respect the effort and creativity it takes to fight back and make the platform work for us instead of vice versa.
wffurr
Delete the app, use the webpage, and use a browser that allows user scripts. I found a good one that turns an Instagram page into just an image tag so you can just see the picture: https://greasyfork.org/en/scripts/5014-un-instagram
tecleandor
For web access, in Firefox I've been using the "SocialFocus" add-on, that allows you to remove certain blocks in "social" websites (for example, blocking Shorts or comments in YT), put a color filter to make it "black and white", or even blocking the whole site. I had to access Facebook a couple times some months ago, and the quantity of trash you can filter with this add-on is astounding. This developer has also a YouTube specific add-on I haven't tested yet, named "UnTrap for YouTube" that has almost 200 different options for blocking very specific stuff there. Their add-ons in [0]
For Android there's an App called Revanced that let's you apply patches on certain commercial apps like YouTube or Twitter modifying their behavior, and for example block shorts. See the patches available for YouTube in [1]. I'm still pending to test it, but if you do, go to their official site [2], or even better, to their GitHub releases [3] as it seems like there are a good bunch of scammy sites using their name.
--
0: https://addons.mozilla.org/ru/firefox/user/17777732/
1: https://revanced.app/patches?pkg=com.google.android.youtube
2: https://revanced.app/
3: https://github.com/ReVanced/revanced-manager/releaseswhywhywhywhy
Wouldn't risk trying to extract from IG too much, I used to yt-dlp from it a lot and use scripts to extract the images because I like to archive references, nothing on a massive scale we're talking <20 times a month and I got a warning that I could lose my username if I "use automated scraping tools".
tecleandor
Oh! Were you using your user cookie? I use yt-dlp a couple times a month, but I think I'm always unauthenticated (although I guess they could match my IP address in their logs)
prmoustache
Why would you use an account to do that?
andrepd
It's 11 years old, I'm impressed that it even works.
rfgil
This has worked great for me to prevent the infinite scrolling on instagram: https://www.distractionfreeapps.com/index.html
aembleton
I'm not going to trust that until its on F-Droid.
zimpenfish
> I often fall for watching a few of them and loosing 15 minutes of my life.
If you're on iOS, set a time limit (Settings → Screen Time → App Limits → Instagram). Doesn't stop the initial scrolling but the "you've run out of time" pop-up is a good breakpoint. You can bypass it and give yourself another 15 minutes but making that choice is also a good breakpoint / reinforcement.
mtsr
I feel this, particularly as a parent. It's difficulty watching your kids get lost in the algorithm. We regularly discuss this with them and they agree with our perceived harm, but it's just too difficult to resist. Heck, even I get lured into (doom)scrolling every now and then.
I've setup ad-filtering using pihole, where possible, but I'd prefer not to block youtube as a whole. But I'm definitely considering that in the future, to protect my family.
freehorse
Imo the best thing that can work is introducing delays to the loading of videos, increasing as time goes by. Youtube introduced sth like this to me, when they were presumable trying "punishing" users with adblockers, and it worked as a charm to get me disengage from the youtube rabithole. A lot of such addiction dynamics work based on how fast getting the reward is, and these interuptions disturb this.
arnvidr
Hit that "For you" at the top and select the "Following" feed. Only the posts from the people you follow, no suggested posts, no ads.
rwmj
Until the company decides to unilaterally reenable that setting to "help you get more from their service".
david_arcos
That's not persistent :(
soraminazuki
YouTube still provides RSS feeds for individual channels. Combine that with mpv's yt-dlp integration and you can avoid the official web frontend altogether.
I don't know how long it's going to last though, with the current trend of rug pulls and enshittification.
rwmj
Youtube have been gradually cracking down on yt-dlp by blocking IPs that download (presumably without watching the adverts, or some other method to fingerprint it). Currently it's mostly annoying as I have to rotate through IPs every few days. But I imagine it'll get worse and worse until I stop watching youtube.
account42
I've been using the same IP for ages and never had problems with yt-dlp as a whole - it's always just some specific videos where it won't work.
ffsm8
Pretty sure it's only gonna get deleted if either a) enough people use it so that a MBAs notice or b) the way it's accessing the data blocks a feature that an MBA wants
desdenova
Or just use a localhost invidious instance.
vitus
> instead, I found a flaw in the Protobuf format which allows me to reliably change one byte to obliterate ads.
Let me guess, the author changed the field number to a large unused number.
> Now, all we have to do is scan the Protobuf bytes for classic ad URL signatures like /pagead/ to bound our field search, then move backward from there until we find the target(s) field tags and thus field keys we would like to denature (e.g. 49399797 –> 49399796).
Yeah. This isn't a flaw, this is intended behavior.
If you're willing to go through the effort to find the tag, it's really not that much additional effort to then read the (varint) length right next to the tag and... just skip those bytes.
Yes, you'd need to copy your buffer to do this, or at least slide your bytes around. But the proof-of-concept script already has to perform a copy because the bytes object returned by mitmproxy's API (`body: bytearray = bytearray(flow.response.get_content(strict=False) or b"")`) is immutable, and even a memoryview isn't going to bypass this limitation.
jeroenhd
On the protocol level everything is working as expected, but I think the flaw is that Google's way of dealing with these unknown fields in the ad data structure isn't to throw an error, but to pretend there are no ads to play. After all, Google will definitely release a new version of their app before they modify the protocol to make all the old versions not play ads anymore.
Google could shut down this method of ad blocking instantly by either doing basic certificate pinning or by altering their decoding logic to be less graceful of failures when it comes to extracting ad information. If I were on the YouTube team, I'd consider these flaws.
wongarsu
Smoothly handling missing or unexpected fields is half the value proposition of protobuf. May as well switch a a much simpler versioned binary protocol instead of all this schema and field tagging complexity if you want to reject every message that doesn't match the client's schema.
And rejecting unknown messages would likely degrade the user experience. Just because Google releases a new version doesn't mean everyone instantly has that new version installed everywhere.
Certificate pinning would be a solution, but the world seems to have decided that that's very difficult to get right too. Probably easier to get right in an app than in a website, but I understand not using it.
They could manually sign the protobuf messages to ensure integrity. Duplicating some of the work TLS would already do, but doing it decoupled from TLS infrastructure may be easier.
But unless something like OP's hack becomes mainstream, Google's current approach could be the right one. Sure, it leaves them open to message manipulation, but the potential lost ad revenue from even a tiny failure rate around update time from the other approaches could easily outweigh what they lose from a handful of people running middleware boxes to block ads.
vachina
My gf’s YouTube account for some reason does not show ads on any device it is logged in, including the Apple TV. It is not premium, nor ever was premium.
Wonder what flag is set internally that disabled ads.
a12k
Interesting. If you can DM me the username and email associated with the account, I can look into this and get it fixed for her.
pawelduda
"We're sorry for any inconvenience this error may have caused"
pinoy420
[dead]
duxup
Long ago a Google music subscription would disable ads on YouTube. When they discontinued it / I cancelled, it took a good 6+ months before YouTube ads started up for me.
But of a “oh I see what people are complaining about” moment for me ;)
TN1ck
Maybe she is in a holdback experiment. To understand how a feature affects the metrics (such as running ads), they often have some people in a holdback. I worked there and we did have such experiments for our features.
dmos62
Love the engineering, but it's kind of sad the hoops we have to jump through to get some semblence of owning our hardware or software.
duxup
Well you own the device in this case. I don’t think there’s a justification to arguing you own YouTube or the content.
rchaud
Any $30 Android shitbox with a nieuwpipe apk has been able to do this for ~ 10 years.
perching_aix
> I discovered that putting a man-in-the-middle proxy between my Apple TV and the world lets me decrypt HTTPS traffic
This surprised me quite a bit because normally that shouldn't work, but then that surprise was exchanged for a different one, when I learned later down that you can add CAs to the certificate store of an Apple TV.
Nice and thorough writeup, thanks for sharing. A good carousel through the entire stack involved.
windhaven
If I had to guess why Apple supports adding certificates, it’s probably to allow Apple TVs to work as AirPlay boxes in corporate/educational environments while playing nice with the IT/device management stuff that entails. For instance, when I was in college, getting something on the college WiFi either required allow-listing it’s MAC address or installing a certificate.
madeofpalk
This, and the fact that a fair bit of this would 'come for free' due to tvOS being based on iOS which has supported custom CAs for ages.
josephg
Unfortunately Google can trivially block this by checking which CA signed their SSL certificate in the YouTube app. I don’t know if they will - doing so might break YouTube within a lot of corporate environments. But it would be unfortunately easy.
mzajc
Ironically enough Android TV (at least version 7.X) does not let you do that, which I found out the hard way when trying to work around untrusted Let's Encrypt certificates.
jeroenhd
Starting with Android 7, apps have to opt into user-installed certificates. Browsers often do (Firefox is an annoying exception, you need to turn it on in the dev settings and it doesn't work in the official release version of the browser), but apps usually don't even know that the setting exists.
Aside from that, Android has a very easy certificate pinning API where you can just assign a fingerprint to a domain name in the XML config files and it'll pin a certificate to that domain. Easy to bypass if you modify the APK file, but then you miss out on updates and other mechanisms could check if the signature has been tampered with.
With root access (shouldn't be too hard to gain on an Android device still running 7) you can add your certificate to the root certificate folder on the system partition. This will make Let's Encrypt work on all apps. It doesn't bypass certificate pinning, of course, but you don't need there for Let's Encrypt.
codemusings
> [...] when I learned later down that you can add CAs to the certificate store of an Apple TV.
Same. I would not have guessed that that's possible but I guess I never tried to access a resource without a valid certificate chain on Apple TV.
jisnsm
Most devices allow you to add CAs, but almost all apps nowadays use certificate pinning which means the system certificate store is ignored. I find it extremely surprising that YouTube doesn’t do that.
boscillator
That sounds like you've just made it so your app doesn't work behind a corporate SSL proxy. I really need people to stop rolling there own SSL stores (looking at you python, java and nodejs). I spend way to much of my time getting things running on my work laptop that should just use the CA store IT pre-installed.
jeroenhd
Is that a problem? What segment of Google's Apple TV revenue comes from people behind shitty middleboxes?
YouTube won't work on Chromecast if you're trying to MitM it, so clearly Google doesn't think this situation is worth making an exception for in their logic.
AnonHP
> but almost all apps nowadays use certificate pinning which means the system certificate store is ignored
Certificate pinning (or rather, public key pinning) is technically obsolete and browsers themselves removed support for it in 2018. [1] Are there many apps still really using this?
[1]: https://en.m.wikipedia.org/wiki/HTTP_Public_Key_Pinning
jeroenhd
HPKP, yes. Certificate pinning in apps is the norm.
The difference between HPKP and certificate pinning is that HPKP can pin certificates on the fly, whereas certificate pinning in apps is done by configuring the HTTPS client in the native application.
Apps like Facebook won't work on TLS MitM setups without using tools like Frida to kill he validation logic.
solarexplorer
I don't have any numbers, but I think this is still pretty common. On iOS for example Alamofire which is a popular network stack, still offers this as a feature. I think the use case is a bit different for apps and web sites, especially for closed ecosystems like Apple's where reverse engineering is not as easy/straightforward.
klausa
Mobile apps still frequently do, yes.
It's gotten less popular over the years as people keep asking "wait, what are we doing this for again?"; but it's still very popular in certain kinds of apps (anything banking related will almost certainly have it, along with easily broken and bypassed jailbreak detections, etc).
oarsinsync
Most personal banking apps I’ve used still do this. The bank is liable for your lost funds if your corporate IT department doesn’t secure the MITM solution properly otherwise.
(The end customer isn’t liable for the bank’s inability to properly secure their app from MITM attacks…)
mschuster91
> I find it extremely surprising that YouTube doesn’t do that.
Not surprising for me - it used to be only banks where it was required (sometimes by law) that any and all communication be intercepted and logged, but this crap (that by definition breaks certificate pinning) is now getting rolled out to even small businesses as part of some cyber-insurance-mandated endpoint/whatever security solution.
And Youtube is obviously of the opinion that while bankers aren't enough of a target market to annoy with certificate pinning breaking their background music, ordinary F500 employees are a significant enough target market.
Zephyrix
I’ve tried implementing this a few times on my Apple TV to no avail. I think YouTube has implemented cert pinning on their app now or something. Has anyone else been able to get this working recently?
mubou
> I want to support content creators, so to be fair, after a few months of blocking YouTube ads, I am now paying for YouTube Premium; Just because I can break something, doesn’t mean I need to.
Does paying for YouTube Premium support creators? (If so, how much, compared to say Patreon?)
alwyn
Supposedly creators get a bigger share from YT Premium users' compared to regular, ad-watching views, simply because skipped ads mean no revenue. It's still marginal because most people don't have Premium though.
diggan
> Supposedly creators get a bigger share from YT Premium users'
I've heard this multiple times before, but every time I go hunting for a source from Google/YouTube, I cannot find any official statements or confirmed information about this, seems this is mostly based on 3rd party analysis afaik.
kalleboo
I found this screenshot of the partner program contract that says it's a 55% split for either https://imgur.com/YjOHAAr
But for Premium the amount is distributed by watch time, whereas for ad-supported users it's by number of ad views. This means that for short videos where the value of the ad is higher then the value of the watch time, a "free" user wins, but for longer form videos where the watch time is longer, the Premium user wins.
LinusTechTips once showed the YouTube income breakdowns for some of their videos that showed this - for their hour+ long PC build streams, Premium income was higher and for shorter videos, Ads income was higher.
parasti
I've released an album via Distrokid which distributes the release to YouTube as well. You can look at detailed reports there. Youtube revenue is split into Ads, ContentID and Red (which I believe is the old name for Youtube Premium). I just checked and I am currently getting a bigger share from Ads than from Red, per play.
ozzyphantom
Not much compared to Patreon but if you watch more than a couple YouTubers can you reasonably be expected to subscribe to every YouTuber’s Patreon?
I don’t doubt any given YouTube premium subscription provides a negligible amount of income to a creator but watching their videos ad-blocked provides nothing.
(I use ublock on Zen and do not make enough money to be a Patron of anyone unfortunately)
dtech
> Does paying for YouTube Premium support creators? (If so, how much, compared to say Patreon?)
Yes. Recent info is sparse, but when they initially released it as Youtube Red it was generally much more than they got from ads per view.
gytisgreitai
I need this for openwrt:)
throwawayffffas
So I have to ask, I am legitimately curious, how is AppleTV better than hooking up a laptop with an air mouse on your TV?
jonathanlydall
In addition to the sibling comment, it also:
- Comes with a simple remote control which in addition to controlling the AppleTV also allows muting and changing the volume of your TV. As someone who uses my TV exclusively with the AppleTV this means my TV's remote simply sits in a cupboard.
- If you have an iPhone you can use it as a remote over WiFi, I do this all the time to turn off the TV from a room over when the kids need to stop watching. The iPhone can also act as a remote keyboard which can be very convenient for text input.
- The voice search feature works very well in my experience. The remote has a mic in it and you simply hold one button and dictate what you're searching for and 99% of the time for me it works perfectly.
- It's very fast and responsive, allows quick and easy switching between apps.
- It's popular such that any streaming provider probably has an app for it.
skydhash
Also, Infuse, which is a nice app for playing video files over the network and support Jellyfin, Plex, and others. It also have Dolby and DTS decoders, which works great as the box only have PCM output.
angulardragon03
Lower power consumption, actual 10-foot interface rather than squinting at the TV, lower maintenance, and (depending on your OS of choice) less intrusive OS-level advertising.
sussmannbaka
Mostly because there is no laptop hooked up to your TV. I wouldn’t want to have a laptop standing around, which is mostly an aesthetic choice.
rs186
Convenience.
When watching TV, people enjoy using a remote to navigate the interface, instead of with keyboard/mouse/trackpad, potentially having to get up and go to the laptop to do that.
pjc50
> laptop with an air mouse on your TV?
Having done the Windows Media Center version of that: it sucks a lot. Remote-control friendly interfaces are actually hard.
prmoustache
Typing a youtube/netflix search box with a remote seems harder to me than doing it comfortably on a decent keyboard.
Jiahang
what about in openwrt?
If we're getting to the point where we need to decrypt things and reverse engineer protocols, maybe we should... not use these devices? Maybe we should opt out of this economy? Maybe we should do other things to entertain ourselves?