Android firewalling / network monitoring
Last updated : 20/9/2024
Introduction
Well, here it is. The somewhat non-stub guide for firewalling and/or network monitoring on Android. And no, root and/or unlocked bootloader is not required this time... unless you're using AFWall+ & PCAPdroid (or you can't live without root access).
Prerequisites
Required stuff :
- An Android device (with root if necessary)
- Any of these firewall and/or network monitor apps (don't use more than one VPN solution)
- InviZible Pro (root/VPN, firewall & network monitor only works in VPN mode)
- NetGuard (VPN-only, root-agnostic)
- AFWall+ (iptables-based firewall, root-only, run alongside PCAPdroid for network monitor)
- PCAPdroid (root/VPN network monitor, root mode recommended, run alongside AFWall+ for firewall)
- Optional : VPN lockdown (for InviZible / NetGuard)
- Settings > Network & internet > VPN
- Tap the gear button on the VPN you're using
- Enable "Always-on VPN" & "Block connections without VPN"
InviZible Pro
InviZible Pro is somewhat like NetGuard (both uses Android's VPN slot & works with 1 hosts source), but with a more verbose network monitor, added darknet access (I2P & TOR, with latter enabled by default), & DNSCrypt. By the way, TheAnonymouseJoker considers this a cornerstone of his privacy guide, and it's somewhat understandable considering the features it has (though in reality I beg to differ for obvious reasons). Also supports root mode, but not recommended as firewall & network monitoring won't work.
Prerequisite :
- Make sure DNSCrypt is running in InviZible. TOR and/or I2P may also run if you need them.
- InviZible has to run in VPN mode. If running in root mode (which is triggered by InviZible detecting root), network monitoring doesn't work.
To change from root mode to VPN mode, tap the 3-dot menu on top-right & select "VPN Mode".
- Notable InviZible settings (burger menu icon on top-left / swipe right from left corner; everything else can be left untouched, or changed to user preference) :
- Fast Settings
- Autostart : Enable "Start DNSCrypt on boot" (TOR & I2P too if desired, otherwise disable)
- DNSCrypt servers : uncensoreddns-dk-ipv4, uncensoreddns-ipv4 (use whatever you're comfortable with, as long as it works)
Default used : adguard-dns, ahadns-doh-la, dnscrypt-de-blahdns-ipv4, dnsforge.de, libredns-noads, oszx, sfw.scaleway-fr
- DNSCrypt Settings
- Require servers (from static + remote sources) (2nd section) : Enable dnscrypt_servers, doh_servers, ipv4_servers
- Require servers defined by remote sources (3rd section) : Enable require_dnssec, require_nolog, require_nofilter
- Disable force_tcp (unless routing all connections through TOR)
Firewalling :
- Access in (burger menu on top-left corner / swipe right from left corner) > Firewall. Be sure DNSCrypt (and/or TOR) is running.
- Green to enable connections; white to block
Network monitoring :
- Browse to the DNS tab, making sure DNSCrypt is enabled & running.
- Results should be immediately visible.
NetGuard
VPN-based firewall with some network monitoring abilities. Also offers adblocking in GitHub Releases / F-Droid builds. Unfortunately, some features are locked behind Goolag Play in-app purchases.
Prerequisite :
- Enable NetGuard by toggle on top-left section, granting it VPN permission.
- Notable NetGuard settings (3 dot menu > Settings; everything else can be left untouched, or changed to user preference)
- Defaults
- Either enable "Block Wi-Fi" for whitelisting, or keep it disabled (by default) for blacklisting. The same applies for "Block mobile".
- Options (optional, only for GitHub Releases builds)
- Disable "Check for updates"
- Advanced options
- Enable "Manage system apps"
Firewalling :
- In default theme (both light & dark, without Goolag Play in-app purchase), orange means block & teal means allow. Simply tap the network icon to disable / enable internet for an app.
Network monitoring :
- 3 dot menu > Settings > Advanced options :
- Enable "Log internet access"
- Enable "Filter traffic"
- Enable "Track network usage"
- Browse to the app you're logging. Exit NetGuard without closing it & open the app you're going to log.
- Connection logs can be viewed in "Access attempts" for each apps. The full log, on the other hand, requires Goolag Play in-app purchases.
AFWall+
Root-only firewall using iptables. Has an unlocker hidden behind either Goolag Play Store or in-app purchases (via Goolag Play), which unlocks background theming & hostname logging.
Prerequisite :
- Make sure root access is enabled for AFWall+. Then, open the app. If root access is not granted, it will complain about not finding support for iptables targets & chains.
- Notable AFWall+ settings (3 dot menu > Preferences; everything else can be left untouched, or changed to user preference) :
- UI Preferences (optional)
- Disable "Enable notifications"
- Disable "Rules progress"
- Enable "Show UID for apps"
- Enable "Confirm AFWall+ disable"
- Rules / Connectivity
- Enable "Add Delay", which will add 1 second delay to rule application, effectively guaranteeing that the rules will be applied.
- Enable "LAN control, VPN control, Tether control" (and allow nearby device permission as soon as tether control is enabled). TOR control can be enabled as desired.
- Enable support for IPv4 & IPv6; but keep "only control IPv6 chains" disabled
- Experimental (startup data leak prevention) (optional, only available for Magisk)
- Startup directory path for script : /data/adb/service.d (not available if using KernelSU as root method)
- Enable "Fix startup data leak" (only available if startup data directory for script is set)
Firewalling :
- Tap the 3-line button with a checkmark & select "Block selected", replacing the default "Allow selected). (optional, personal preference)
- Toggle checkmarks to enable / disable internet for selected app, with behavior depending on the "allow / block selected" option mentioned above.
Network monitoring : (unlocker required; use PCAPdroid for network monitoring instead)
- Enter Log preferences
- Enable "Turn on log service" - this will only log IP addresses by default.
- Enable "show hostname" (only available if donate unlocker is installed)
- Connection logs can be seen in 3 dot menu > View log.
PCAPdroid
In a nutshell, it's a reverse of AFWall+ - works on either root or VPN mode; network monitoring available & fully functional by default; and firewalling hidden behind Play Store unlocker and/or license code (and by hidden I meant it - the options are completely absent without it). Will catch all connections (including system connections) if running in root mode, but may also run in VPN mode if you don't mind catching only user-installed apps (something both InviZible & NetGuard does as well).
Prerequisite :
- Root mode : (recommended, may run alongside AFWall+)
- Make sure root access is available (and granted if running KernelSU; Magisk waits until network monitoring to ask for it)
- Open PCAPdroid & go to Settings (gear icon on top-right, besides the start icon) (preferably while internet is disabled)
- Scroll to "Capture as root" and enable it. The option is be available only if PCAPdroid detects root access.
- VPN mode : ...nothing. Just like how there's no notable settings to change for PCAPdroid (except for Private DNS maybe).
Network monitoring :
- In the "Status" tab (a.k.a. the main menu), tap on either "Ready" circle or the start icon (& press "Live capture" on the popup that appears after tapping start icon). If "Capture as root" is enabled, PCAPdroid will check for root access. Otherwise, it will ask for VPN permission.
- Connect to internet & do internet-dependent stuff (or just leave it there). Results are available in the "Connections" tab (swipe left from "Status" tab). Stop capturing connections by tapping on the stop icon, which now replaces the start icon.
Unofficial network documentation with root-enabled PCAPdroid
Important note : Aside from Private DNS disabled (letting them on Automatic kinda messes up the results), root solution (APatch / KernelSU / Magisk, preferring the last one), and UI modifications (navbar & statusbar tuned to my personal preferences); no other modifications are made to the system at the moment of documenting the ROM's connections. Also, Cell Broadcast Service used the captive portal url instead of CaptivePortalLogin for whatever reason. Connections documented are only first connections made as soon as system gets internet connection.
Firewalling : Locked behind Play Store unlocker and/or license code & not available on root mode. Leave firewalling to AFWall+ or any other firewalling solution of choice.
App lists
Everything but the firewall and/or network monitor can be in the "situational" list, but since this is my guide, here's my list of allowed & blocked apps, as well as the situational ones.
Allow :
- The firewall and/or network monitoring app
- Root (apps running as root)
- UID -10 (any app) (only in AFWall+)
- UID 1016 (VPN)
- AdAway (with root access)
- UID 10288 (Download manager, Downloads, Sounds)
- Web browsers
- Online-only games (such as Fate/GO)
Block :
- UID 1019 (DRM)
- UID 1029 (Clat)
- UID -11 (kernel)
- Media server
- Webview
- Bluetooth (wifi & mobile data)
- com.android.sdksandbox (A13)
- microG Services
- Intent filter verification service
- Wallpaper & style
- And any other apps that can't justify needing internet access (AIMP, mpv (ignoring "open URL"), Nova Launcher, AetherSX2, PPSSPP serves as personal examples)
Situational (block if not using, allow if using)
- UID 1000 (Android system bundle) (I blocked system bundle & kernel, & I still have internet access; but YMMV)
- UID 1020 (Multicast DNS)
- Network time / ntp (allegedly required for TLS certificates to stay in sync)
- UID 1001 (telephony bundle - Phone Services, com.android.ons)
- Cell broadcast (probably important if living in disaster-prone area)
- GPS
- CaptivePortalLogin (depends on your captive portal setting and whether you use internet on the device)
- adb (block if not using wireless adb)
- Google Play / microG stuff
Others & comparisons
Here are other solutions I used to consider for firewalling / network monitoring, harvested right off the basic PrivMod guide.
- Additional notes for VPN-based network monitors : While useful for logging user-installed apps, they're unfortunately useless for logging most system connections (at least on my personal anecdote). They obviously consume Android's VPN slot, preventing you from using an actual VPN.
- iodéOS has a nifty adblock / firewall / network monitor / network mapper combo that intercepts all network connections in the app, including system connections. Unfortunately, for those running builds after July 2023 (archive.org), the app locks most of its features beind a subscription-based paywall. In addition, this solution requires privileged access (by being prebuilt as an app in /product/app), so it cannot be installed within user-app restrictions.
- AdAway (in either rooted / VPN mode; with the drawbacks of either mode obviously) can also be used as a network monitor by logging DNS requests (but doesn't sort which apps connect to which servers), though it's primarily meant to be an adblocker.
- Most custom ROMs use per-app data restriction, which you can kinda treat as a firewall (CalyxOS also offers Datura "firewall", which is actually just a quick UI for per-app data restriction). Predictably, this is not usable for network monitoring, especially since Android only shows the amount of data used.
- GrapheneOS has toggleable network permission, which is a more robust alternative for per-app data restriction. However, in the context of firewall / network monitor, it's just as useful as the previously mentioned data restriction.
Back to top
Android Privacy Mod - Basic
Index - cellphone
Main Page