Installing NetGuard was revelation regarding the amount of tracking in most Android apps.
You can configure it to block access by default and notify you every time an app attempts a new connection. And it rings all the time.
Some software call home at 4am every day, other every hour, some send data to a dozen "analytics" services - services that I never opted-in for, which shows how few apps respect the RGPD.
At least most apps still work when those are blocked, and NetGuard allows you to block connections to Google servers except for Google Apps, which network firewalls and DNS solutions can't.
I am using GrapheneOS. GrapheneOS has a compatibility layer providing the option to install and use the official releases of Google Play in the standard app sandbox.
Every once in a while I consider making the switch to KeePassXC. I trust KeePassXC but I don't really trust the mobile apps so last time around I looked into NetGuard. It's really nice but it wasn't a good fit for my use case:
> NetGuard will do its best, but it is limited by the fact it must use the Android VPN service. This is the trade-off required to make a firewall which does not require root access. The firewall can only start when Android "allows" it to start, so it will not offer protection during early boot-up (although you can disable your network before rebooting). Also, the Android VPN service needs to be restarted to apply new rules when connectivity has changed or when the screen is being turned on or off. It will, however, be much better than nothing.
I believe that also means you can't use it with Tailscale or similar.
> I believe that also means you can't use it with Tailscale or similar.
You sort of can. It can route over a socks5 proxy to the work profile where you can have a second VPN running. Wouldn't be an easy solution, but it can work
Would be curious to hear if anyone actually did (or attempted) this and have results to share.
I know I have experienced VPN leaks on Android (not the one they publically fixed as it was after). A second layer wouldn't fix that properly but it should make it less likely.
At the OS level LineageOS offers per-app network permissions, which I've used and functions as expected.
One quirk from what I understand of this ticket[1] is if there's a proxy set up via a separate internet allowed app it can bypass the restriction via that app. GrapheneOS' implementation is said to prevent this.
There's RethinkDNS [1](not affiliated to them, just like their software). Sometimes it gets killed on my phone, but otherwise it's a great replacement, adds some much-needed features like proxies and wireguard VPNs on top of a DNS and app level control.
I've been using Blockada for many years but that's a firewall against ads and trackers. No ads inside apps.
Ideally I would use NetGuard to block the apps and Blockada to block ads and trackers for the apps that I allowed to perform network traffic in NetGuard. But Android allows only one active VPN and they can't be chained, so it's a hard choice. Actually it's not so hard: I keep blocking ads and trackers.
I have used GlassWire (not affiliated) for a few years without issues.
It's also rootless so I assume it has the same restrictions, but it's been very helpful with apps like Uber, which I use seldomly, but prefer not to have their notifications shoved in my face every 30 minutes.
It's also helpful for disabling access to most of the bloatware that comes with e.g. Samsung phones and such.
Probably not blocking everything, but I feel like it's at least something.
Pcapdroid is a very good alternative that allows to see which connections are made from what app to what server and at what time.
You just leave it in background, check one day later and see what sneaky app you never thought of have been sending tons of data in the background.
For me it helped me remove and search alternative for 4 apps, including a pill reminder (mytherapy). I would never have thought the trade-off to be reminded to take vitamin would be to constantly spy on me and sell all my data. Had i known, I would have put a reminder in my calendar.
anyway, it's not the same as netguard. Pcapdroid helps to identify bad application that you can either remove, or if not possible, use netguard later on to block.
Its' really telling that Google doesn't offer an API to access a firewall which provides a clear list of connections and the apps which create them and a way to prohibit such specific connections, possibly also according to blacklists.
They really don't want users to have control over this.
It's more telling that governments haven't made it a mandatory feature on all devices with networking capabilities.
Google hasn't made a successful product in over a decade (nor have their existing products improved in any meaningful sense) - these people are not capable of anything besides hoarding power (and passing leet code I guess :P).
It drains battery because of VPN service solution, which is only non-rooted solution. Also if you use VPN (like Wireguard), you cannot use both.
Every app has own settings for allowing WiFi, data, VPN, background data connections natively in Android. I use custom ROM that has turned off internet connection for all apps by default and you need manually allow them to connect. Which solve mine problem with constant unwanted connections.
If you want really control over traffic on Android and combine with VPN, try ReThing DNS.
> It drains battery because of VPN service solution, which is only non-rooted solution.
It's not the _only_ solution. If you're on a modern (read: last 6 years or so) version of android, you can specify a DNS over TLS server to use.
If that DNS server also happens to be a PiHole, you have a good filter mechanism that doesn't hit battery life / data quotas quite like an always-on VPN does.
I prefer to connect via Wireguard to home network that has DNS filters (ie Pi-hole or NextDNS), because I can benefit with connection to home network any time.
I occasionally set up notifications when apps make requests using NetGuard and let it run for a day. The result is always depressing, lots of apps phoning home that I haven't opened in days...
I let it run today, and the worst offenders I have installed are Spotify (various requests to Facebook endpoints, I have no Facebook integration turned on) and Speedtest (constant requests to their logging endpoint and ad partners). This is all happening without me actually using those apps.
Readit News
You can configure it to block access by default and notify you every time an app attempts a new connection. And it rings all the time.
Some software call home at 4am every day, other every hour, some send data to a dozen "analytics" services - services that I never opted-in for, which shows how few apps respect the RGPD.
At least most apps still work when those are blocked, and NetGuard allows you to block connections to Google servers except for Google Apps, which network firewalls and DNS solutions can't.
How do you know those connections are blocked and not merely bypassing Netguard?
See https://grapheneos.org/features#sandboxed-google-play
NetGuard also shows network requests from GrapheneOS itself, all proxied by the GrapheneOS project, as described here: https://grapheneos.org/faq#default-connections
Which app?
Dead Comment
Every once in a while I consider making the switch to KeePassXC. I trust KeePassXC but I don't really trust the mobile apps so last time around I looked into NetGuard. It's really nice but it wasn't a good fit for my use case:
> NetGuard will do its best, but it is limited by the fact it must use the Android VPN service. This is the trade-off required to make a firewall which does not require root access. The firewall can only start when Android "allows" it to start, so it will not offer protection during early boot-up (although you can disable your network before rebooting). Also, the Android VPN service needs to be restarted to apply new rules when connectivity has changed or when the screen is being turned on or off. It will, however, be much better than nothing.
I believe that also means you can't use it with Tailscale or similar.
I'm using Keepass2Android Offline. It doesn't have the network permission, which for me adds a ton of trust already.
Of course there are other ways to infiltrate data too, but you can be only so paranoid if you want to get things done.
https://play.google.com/store/apps/details?id=keepass2androi...
You sort of can. It can route over a socks5 proxy to the work profile where you can have a second VPN running. Wouldn't be an easy solution, but it can work
I know I have experienced VPN leaks on Android (not the one they publically fixed as it was after). A second layer wouldn't fix that properly but it should make it less likely.
Even KeePassDX? That's what I use, and it's been rock solid for me.
Is "nothing" the only Android per-app outbound firewall alternative to NetGuard?
One quirk from what I understand of this ticket[1] is if there's a proxy set up via a separate internet allowed app it can bypass the restriction via that app. GrapheneOS' implementation is said to prevent this.
[1] https://gitlab.com/LineageOS/issues/android/-/issues/3228
[1] - https://f-droid.org/packages/com.celzero.bravedns/
Ideally I would use NetGuard to block the apps and Blockada to block ads and trackers for the apps that I allowed to perform network traffic in NetGuard. But Android allows only one active VPN and they can't be chained, so it's a hard choice. Actually it's not so hard: I keep blocking ads and trackers.
Karma Firewall https://f-droid.org/packages/net.stargw.fok/
It's also rootless so I assume it has the same restrictions, but it's been very helpful with apps like Uber, which I use seldomly, but prefer not to have their notifications shoved in my face every 30 minutes.
It's also helpful for disabling access to most of the bloatware that comes with e.g. Samsung phones and such.
Probably not blocking everything, but I feel like it's at least something.
You just leave it in background, check one day later and see what sneaky app you never thought of have been sending tons of data in the background.
For me it helped me remove and search alternative for 4 apps, including a pill reminder (mytherapy). I would never have thought the trade-off to be reminded to take vitamin would be to constantly spy on me and sell all my data. Had i known, I would have put a reminder in my calendar.
Kind of wish there was more discussion about solutions for rooted devices and how much unwanted traffic is already blocked by AdAway (in rooted mode).
This is an app you wanted to replace? Or this is one of the apps that you found to be a good replacement?
(I am also looking for a basic medication reminder/logging app)
i checked on the play store, all full of trackers. open source is great but always having issue, either it lacks functionalities or it's buggy.
at the end, i decided i could put a reminder on my phone and be done with that.
anyway, it's not the same as netguard. Pcapdroid helps to identify bad application that you can either remove, or if not possible, use netguard later on to block.
They really don't want users to have control over this.
Google hasn't made a successful product in over a decade (nor have their existing products improved in any meaningful sense) - these people are not capable of anything besides hoarding power (and passing leet code I guess :P).
Yes, GNU/Linux distributions provide exactly that.
Every app has own settings for allowing WiFi, data, VPN, background data connections natively in Android. I use custom ROM that has turned off internet connection for all apps by default and you need manually allow them to connect. Which solve mine problem with constant unwanted connections.
If you want really control over traffic on Android and combine with VPN, try ReThing DNS.
https://www.rethinkdns.com/
It's not the _only_ solution. If you're on a modern (read: last 6 years or so) version of android, you can specify a DNS over TLS server to use.
If that DNS server also happens to be a PiHole, you have a good filter mechanism that doesn't hit battery life / data quotas quite like an always-on VPN does.
It's a bit old, but I put together a basic project for this here: https://github.com/kquinsland/skyhole/
It doesn't really, just try it (and take actual battery duration measurements, Android misreports VPN apps battery usages)
I let it run today, and the worst offenders I have installed are Spotify (various requests to Facebook endpoints, I have no Facebook integration turned on) and Speedtest (constant requests to their logging endpoint and ad partners). This is all happening without me actually using those apps.
1. https://f-droid.org/en/packages/net.typeblog.shelter/
(On my phones, I use LineageOS which can manage network permissions per app right in app settings.)