Admittedly, the technical feasibility of this is not quite nailed down, but there are many smart people here that i’m sure can weigh in.
As an app developer, I’d like to be able to promise my users what kind of network access my apps needs. No network access at all is an already established concept in FireJail, but at least my apps doesn’t fall in that category. However, they are all solidly only Internet or LAN based - that would be nice to be able to promise, and to have enforced for me.
No need to have my crappy code become a springboard for breaking in or breaking out if it can be avoided.
The most obvious way to do this would be to base it on the need for routing (e.g. netstat -rn), and either through virtual interfaces or firewall rules enforce only routed or unrouted traffic from the app leaves the phone. When on Cellular, that could just be treated as LAN not available of course.
This will break some medium/large company setups and hardcore enthusiast ones with multiple network segments, so maybe it is too broken? Could it make sense as a “strict” mode, or something that can be disabled on some “Public networks”? Or is it too fragile altogether? Are there better ways to do it?