Control network-traffic for Android Apps

I am searching for a way to control (allow/forbid) network traffic for
single apps. Is this possible to do?

In “normal” Android-phones it used for example AFWall for this, an iptables
based firewall. There you can manage traffic for Wifi/data/VPN for every app.

Sailfish OS 4.1.0.24 - XA2 - aosp_h3113

First things first; what is the actual use case?
Why would you want to have poorly behaved apps on your phone?
Wouldn’t the app be useless if it normally needs internet access, and you then go and disable it?
And if it doesn’t, apart from being really iffy, couldn’t you revoke the permission?
If it uses unwanted background data, then just keep background services off.

Since AFWall uses iptables, all that you’d need to figure out is how it is able to correlate traffic to a certain app. If that is still doable in SFOS (at least Android app names show up in top), then you should be able to do the same.

how and where could i do this for an Android app?

for example:
root@Sail02:~# netstat -napt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.222:56580 209.97.157.92:443 ESTABLISHED 28614/org.gnu.iceca
tcp 0 0 192.168.1.222:55406 172.217.19.74:443 ESTABLISHED 28614/org.gnu.iceca

if i would deny here the network for icecat, sure, i could write something with iptables.
My question was more, if somebody else thought about this and maybe there are some kind of solution for this. Maybe not.

From my point of view; you are asking for a tool that has no (obvious) reasonable use - so chances that others have thought about it sounds slim. Knowing what the actual use cases are would hopefully enable better answers (e.g. solving the problem some other way).

Hmm, seems that permission is not revocable, even from the console: android.permission.INTERNET requested by com.spotify.music is not a changeable permission type. Background data usage is available though - but better just kill background services.

You need a rooted-phone to use AFWall. So, it is not that popular, but on playstore it has 500.000 downloads. On the other side, a non-root-“firewall” (NetGuard) has 5.000.000+ downloads on playstore. Doesnt seem so useless for a lot of users.

In my case and only for me, yes, i can deal with iptables for myself. I thought, there is maybe a little more generic thing for this. A few people were asking me in the past for that feature in Sailfish/Android.

That is not an argument! It is a schoolbook example of an ad populum fallacy.
Heck, they might even have realised it was not useful and uninstalled it for all we know.

Since you still haven’t said what the use case is, i’ll just assume there is none.
(Beyond shadow-revoking internet permissions for apps that shouldn’t have it in the first place - which are probably terrible in more ways anyway)

This functionality should be built-in into Sailfish Android layer!

They say SFOS is about privacy, then why the heck Android layer is less private that a standard Android phone (with proper apps)?

SFOS must have built-in functionality to provide fake data to Android apps and to disallow internet access on per-app basis.

When any VPN app is launched it does not change the AlienDalvik VPN settings… Why is this?

It seems important for you to have a use case, so I will give you one, or two of tons.
I am using ColorNote for my personal notes, and I dont want, that this has network
access ever. There is TitaniumBackup, which makes local backups and for this I
only want allow LAN-access. Or my mediaplayer shouldnt be going online, because
I only want to see local files. And so on.

All these Android app connect to google and facebook for metrics and data collection. I try to block hosts like googleapis .com etc by adding them to the etc/host file like described here: https://together.jolla.com/question/123404/howto-block-websites-in-every-browser/ but it did not work.

On Ubuntu I use OpenSnitch.

I also tried:
iptables -A INPUT -s facebook .com -j DROP
iptables -A OUTPUT -d facebook .com -j DROP

and from the browser I cannot longer access the page but using TCPDUMP on the router I can still see the Android apps connecting to facebook .com

How to block Android app trackers on Sailfish OS 4?

Take a look here:
https://openrepos.net/content/peterleinchen/defender-ii-updated-encrypted-devices-originated-nodevel

In above you missed that android layer is using its own hosts file.
Defender will take care of this…

1 Like

This is all very sad.
J has full control of android layer, yet they show zero interest in putting snoopy android apps on a leash.
So much for privacy-friendly OS.

This Defender II app is awesome! Thank you so much!!

Yes!
But all kudos should go to nodevel, as he invented/implemented it.

You know that there is a …/etc/hosts.editable file in which you might add whatever site you want to add getting blocked?

I edited the …/etc/hosts.editable file with sh -c ‘echo “127.0.0.1 www.google.com” >> /etc/hosts.editable’ but even after reboot using the browser it did not block the url. But when I use sh -c ‘echo “127.0.0.1 www.google.com” >> /etc/hosts’ it does.

The problem is that it does not block google from the Android layer. When I open the Android version of Firefox I can still open Google.com

Not sure what I do wrong.

There are two (three) locations of
etc/hosts*
files, that is what I meant with
/etc/hosts*

First one is /etc/hosts* for native SFOS
Second( third) is for Android layer and depending on version (10 or older 4.4) it is
/system/etc/hosts*
or
/opt/alien/system/etc/hosts*

After modifying this/these hosts.editable files you need to update within defender app to get these changes integrated.

1 Like

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

Both /etc/hosts and /system/etc/hosts are now 11 MB in size and contain the lists of urls to be blocked.

It works on Sailfish but but I can see on the router TCP dump that the Android layer it does not block the URLs.

It seem to ignore or bypass the IP Tables host file. Is there a resolve.conf I need to adjust?
What else can I try?