Any way to block specific Android apps from accessing the internet/network?

Is there any way to block specific Android apps from accessing the internet/network? (For example I have a note-taking app which has internet access, but I don’t necessarily trust it, so I’d like to just entirely block it’s access to the internet. However I still want Firefox/etc to be able to access the internet unrestricted.)

On an Android phone I just use NetGuard, which works by pretending to be a VPN (and then blocking internet access for apps of your choosing). I tried installing it on Sailfish OS, but it says it fails to activate - most likely because Android AppSupport doesn’t seem to provide any VPN settings?

For native apps I can manually copy the relevant /usr/share/applications/*.desktop file to /etc/sailjail/applications/ and edit it there, but obviously that doesn’t work for Android apps…

So, is there some way to do this?

I haven’t tried yet, but would it be possible to block an app’s network access using iptables with an appropriate --uid-owner or --gid-owner (not sure if each Android app has it’s own UID nor how I would find that out?). Or could I use SElinux to do something similar?

The easiest way is to replace your untrusted note app and go native with FoilNotes, which also offers encrypted notes.

It can be used with MyBackup, so it’s been backed up with the built-in Sailfish OS backup tool.

Thanks for your suggestion, but it’s not viable. I have many Android apps that I use, which likely have no native equivalent that I would find acceptable. Hence why I am looking to block network access for specific apps.

What about Privoxy?

There is an app in FDroid, TrackerControl, which has an option to block internet access to each application individually.

I haven’t tested it with AAS though.

For some reason local proxy does not work for AAS. Also it can’t do application-level filtering.

No, doesn’t work.

This app depends on the Android VPN feature, by creating a local VPN for filtering.

It is a bit OT because it does not help in the topic issue but local proxy( at localhost) definitely works for AAS. Both http and socks. Maybe I understand this statement incorrectly?

Has anyone yet tried to run RethinkDNS on AAS?
With RethinkDNS the user can grant or deny network access for each single Android app, Cellular/WLAN, on/off.
Including Firewall, IP & Port rules.

Hm, my testing was a while back - maybe something has changed, quite possible.

Just to be clear, we are talking about a socks or http proxy (e.g. tor, i2pd) running in SFOS, and you can reach and use it from AAS?

Yes, I use tor proxy running in SFOS, directly via socks and via privoxy in ASS and it does work.

Thanks for confirming, that’s good news to me! I’ll try to do some tests again, and amend my Privoxy (and maybe i2pd) documentation.

To everybody in this thread: this should be the end of this off-topic excursion.

To contribute a little on-topic: to my knowledge there is currently no way to do per-application internet blocking (apart from the Android-native permission system, and Sailjail for SFOS Apps).

Just to let people know that I’ve made a script to allow you to block chosen Android apps from accessing the internet:

Sorry, just came across this.

Also confirming that the local (global) proxy setting is for Android stuff as well working.

@nephros now, This is the end