Script to block chosen Android apps from accessing the internet

ohnonot · 20 February 2026 12:52

I have experimented on the command line, so my comments have little to do with the GUI app.

However, both me and @chr1s noticed that connman behaves erratically. There’s no short explanation except that systemctl connman reload doesn’t always work as desired. You’ll have to read all our comments to get a better picture of the weirdness.

@chr1s already added whitelisting (i.e. block all Android apps, then punch holes for apps) to his script.

We were mostly discussing which range of user IDs should be blocked wrt the whitelist approach. Mine is stricter, and currently it disables network connectivity for apps even when they have their holes punched. I suspect one would need to punch one more hole for some android system user, instead of just skipping the first 10 000. But I’m still investigating.

For me the big question is whether this Android firewalling isn’t just security theater if any app can circumvent it by using an Android system user run mechanism instead. Or it could just be an online check.

I need a better on-device network monitoring tool.

tl;dr: just stick with @chr1s script. It’s safe. The added 69-block-android-system-firewall.conf is not part of it.

ohnonot · 27 February 2026 22:58

In the end I’m comfortable with adding these rules manually to my very strict whitelist setup.

But I take it it wouldn’t interfere with your script/app if I just choose a higher number for the config file.

I wrote a blog post about it.

chr1s · 28 February 2026 10:14

I’ve updated the 69-block-android-system-firewall.conf file in my Zip:
FirewallAndroidApps.zip

It now skips Android’s “root” UID, like you said you found necessary.

That would depend on whether my script is block or allow listing & what your firewall rules are doing. Using my script in allow listing mode, all allowed apps will get network access even if they are blocked by your firewall rules, if those rules come later (i.e. have a higher number).

I wouldn’t advise using my script with other firewall rules that also try to block Android AppSupport, since they will conflict unless you are very careful. (And of course don’t use ichthyosaurus’ app and my script, as they will partially overwrite each other’s firewall rules. I guess I should include an uninstall script…)