Control network-traffic for Android Apps

tombln · 14 July 2021 11:57

I am searching for a way to control (allow/forbid) network traffic for
single apps. Is this possible to do?

In “normal” Android-phones it used for example AFWall for this, an iptables
based firewall. There you can manage traffic for Wifi/data/VPN for every app.

Sailfish OS 4.1.0.24 - XA2 - aosp_h3113

attah · 14 July 2021 12:25

First things first; what is the actual use case?
Why would you want to have poorly behaved apps on your phone?
Wouldn’t the app be useless if it normally needs internet access, and you then go and disable it?
And if it doesn’t, apart from being really iffy, couldn’t you revoke the permission?
If it uses unwanted background data, then just keep background services off.

Since AFWall uses iptables, all that you’d need to figure out is how it is able to correlate traffic to a certain app. If that is still doable in SFOS (at least Android app names show up in top), then you should be able to do the same.

tombln · 14 July 2021 13:22

how and where could i do this for an Android app?

for example:
root@Sail02:~# netstat -napt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.222:56580 209.97.157.92:443 ESTABLISHED 28614/org.gnu.iceca
tcp 0 0 192.168.1.222:55406 172.217.19.74:443 ESTABLISHED 28614/org.gnu.iceca
…

if i would deny here the network for icecat, sure, i could write something with iptables.
My question was more, if somebody else thought about this and maybe there are some kind of solution for this. Maybe not.

attah · 14 July 2021 14:08

From my point of view; you are asking for a tool that has no (obvious) reasonable use - so chances that others have thought about it sounds slim. Knowing what the actual use cases are would hopefully enable better answers (e.g. solving the problem some other way).

Hmm, seems that permission is not revocable, even from the console: android.permission.INTERNET requested by com.spotify.music is not a changeable permission type. Background data usage is available though - but better just kill background services.

tombln · 14 July 2021 14:24

You need a rooted-phone to use AFWall. So, it is not that popular, but on playstore it has 500.000 downloads. On the other side, a non-root-“firewall” (NetGuard) has 5.000.000+ downloads on playstore. Doesnt seem so useless for a lot of users.

In my case and only for me, yes, i can deal with iptables for myself. I thought, there is maybe a little more generic thing for this. A few people were asking me in the past for that feature in Sailfish/Android.

attah · 14 July 2021 14:41

That is not an argument! It is a schoolbook example of an ad populum fallacy.
Heck, they might even have realised it was not useful and uninstalled it for all we know.

Since you still haven’t said what the use case is, i’ll just assume there is none.
(Beyond shadow-revoking internet permissions for apps that shouldn’t have it in the first place - which are probably terrible in more ways anyway)

remote · 14 July 2021 18:57

This functionality should be built-in into Sailfish Android layer!

They say SFOS is about privacy, then why the heck Android layer is less private that a standard Android phone (with proper apps)?

SFOS must have built-in functionality to provide fake data to Android apps and to disallow internet access on per-app basis.

nerd7473 · 14 July 2021 19:19

When any VPN app is launched it does not change the AlienDalvik VPN settings… Why is this?

tombln · 14 July 2021 20:04

It seems important for you to have a use case, so I will give you one, or two of tons.
I am using ColorNote for my personal notes, and I dont want, that this has network
access ever. There is TitaniumBackup, which makes local backups and for this I
only want allow LAN-access. Or my mediaplayer shouldnt be going online, because
I only want to see local files. And so on.

dry1 · 26 September 2021 20:19

All these Android app connect to google and facebook for metrics and data collection. I try to block hosts like googleapis .com etc by adding them to the etc/host file like described here: https://together.jolla.com/question/123404/howto-block-websites-in-every-browser/ but it did not work.

On Ubuntu I use OpenSnitch.

I also tried:
iptables -A INPUT -s facebook .com -j DROP
iptables -A OUTPUT -d facebook .com -j DROP

and from the browser I cannot longer access the page but using TCPDUMP on the router I can still see the Android apps connecting to facebook .com

How to block Android app trackers on Sailfish OS 4?

peterleinchen · 27 September 2021 11:34

Take a look here:
https://openrepos.net/content/peterleinchen/defender-ii-updated-encrypted-devices-originated-nodevel

In above you missed that android layer is using its own hosts file.
Defender will take care of this…

remote · 27 September 2021 13:13

This is all very sad.
J has full control of android layer, yet they show zero interest in putting snoopy android apps on a leash.
So much for privacy-friendly OS.

dry1 · 29 September 2021 00:30

This Defender II app is awesome! Thank you so much!!

peterleinchen · 29 September 2021 05:54

Yes!
But all kudos should go to nodevel, as he invented/implemented it.

You know that there is a …/etc/hosts.editable file in which you might add whatever site you want to add getting blocked?

dry1 · 1 October 2021 01:08

I edited the …/etc/hosts.editable file with sh -c ‘echo “127.0.0.1 www.google.com” >> /etc/hosts.editable’ but even after reboot using the browser it did not block the url. But when I use sh -c ‘echo “127.0.0.1 www.google.com” >> /etc/hosts’ it does.

The problem is that it does not block google from the Android layer. When I open the Android version of Firefox I can still open Google.com

Not sure what I do wrong.

peterleinchen · 1 October 2021 04:37

There are two (three) locations of
etc/hosts*
files, that is what I meant with
…/etc/hosts*

First one is /etc/hosts* for native SFOS
Second( third) is for Android layer and depending on version (10 or older 4.4) it is
/system/etc/hosts*
or
/opt/alien/system/etc/hosts*

After modifying this/these hosts.editable files you need to update within defender app to get these changes integrated.

dry1 · 23 October 2021 23:20

Both /etc/hosts and /system/etc/hosts are now 11 MB in size and contain the lists of urls to be blocked.

It works on Sailfish but but I can see on the router TCP dump that the Android layer it does not block the URLs.

It seem to ignore or bypass the IP Tables host file. Is there a resolve.conf I need to adjust?
What else can I try?

peterleinchen · 24 October 2021 09:13

Oops,
it looks like you found something I was not aware of.
Please try restarting the android support. Either by system settings GUI or devel-su system-ctl restart aliendalvik.
And test again

dry1 · 26 October 2021 06:00

I did that and rebooted the device but the Android layer still seem to ignore or bypass the IP Tables host file. Can I force the Android layer to use the IP Tables somehow?

peterleinchen · 26 October 2021 06:49

That sounds strange!

Please attach to Android console with

devel-su lxc-attach aliendalvik /system/bin/sh

and try to ping one of those host blocked names (from /system/etc/hosts) and see what IP you get resolved.