Installing NetGuard was revelation regarding the amount of tracking in most Android apps.
You can configure it to block access by default and notify you every time an app attempts a new connection. And it rings all the time.
Some software call home at 4am every day, other every hour, some send data to a dozen "analytics" services - services that I never opted-in for, which shows how few apps respect the RGPD.
At least most apps still work when those are blocked, and NetGuard allows you to block connections to Google servers except for Google Apps, which network firewalls and DNS solutions can't.
Every once in a while I consider making the switch to KeePassXC. I trust KeePassXC but I don't really trust the mobile apps so last time around I looked into NetGuard. It's really nice but it wasn't a good fit for my use case:
> NetGuard will do its best, but it is limited by the fact it must use the Android VPN service. This is the trade-off required to make a firewall which does not require root access. The firewall can only start when Android "allows" it to start, so it will not offer protection during early boot-up (although you can disable your network before rebooting). Also, the Android VPN service needs to be restarted to apply new rules when connectivity has changed or when the screen is being turned on or off. It will, however, be much better than nothing.
I believe that also means you can't use it with Tailscale or similar.
> I believe that also means you can't use it with Tailscale or similar.
You sort of can. It can route over a socks5 proxy to the work profile where you can have a second VPN running. Wouldn't be an easy solution, but it can work
Would be curious to hear if anyone actually did (or attempted) this and have results to share.
I know I have experienced VPN leaks on Android (not the one they publically fixed as it was after). A second layer wouldn't fix that properly but it should make it less likely.
At the OS level LineageOS offers per-app network permissions, which I've used and functions as expected.
One quirk from what I understand of this ticket[1] is if there's a proxy set up via a separate internet allowed app it can bypass the restriction via that app. GrapheneOS' implementation is said to prevent this.
I've been using Blockada for many years but that's a firewall against ads and trackers. No ads inside apps.
Ideally I would use NetGuard to block the apps and Blockada to block ads and trackers for the apps that I allowed to perform network traffic in NetGuard. But Android allows only one active VPN and they can't be chained, so it's a hard choice. Actually it's not so hard: I keep blocking ads and trackers.
Blockada is most likely a DNS level blocker, netguard supports that. Alternatively you can configure it to point the DNS servers at NextDNS if you just want a nice UI to configure block lists (though NextDNS might track you).
NextDNS as a manual DNS server on Android is the adblocking solution I've been using for years. Is there any reason to believe they would track you, any more than any other DNS provider?
Pcapdroid is a very good alternative that allows to see which connections are made from what app to what server and at what time.
You just leave it in background, check one day later and see what sneaky app you never thought of have been sending tons of data in the background.
For me it helped me remove and search alternative for 4 apps, including a pill reminder (mytherapy). I would never have thought the trade-off to be reminded to take vitamin would be to constantly spy on me and sell all my data. Had i known, I would have put a reminder in my calendar.
Its' really telling that Google doesn't offer an API to access a firewall which provides a clear list of connections and the apps which create them and a way to prohibit such specific connections, possibly also according to blacklists.
They really don't want users to have control over this.
AdGuard is also rootless, but in addition if you have root then it can install a system-wide certificate that enables it to decrypt HTTPS requests to do granular filtering (not just at the domain level). Basically just like uBlock does, except that it's system-wide and works in all apps[1].
[1] Except apps that pin their certificates. But you can exclude those or install another module[2] (not from AdGuard) which disables certificate pinning.
I'm using netguard. It's really good, but conflicts with wireguard (another VPN I am using). It's because the firewall is realised using VPN API, when running netguard it uses VPN API to control the traffic
This doesn’t seem to show any site I browse in the DuckDuckGo app, which raises the question, if DDG can hide connections it makes from showing in privacy report, can any (more nefarious) app do the same?
Isn’t AdGuard just dns protection (and Safari extension).
Afaik something like this isn’t easily doable in iOS. Some options are:
* Shadowrocket - you can set complex rules on what hosts/connections should be routed by what, but afaik you are not able to isolate traffic on a per-app basis.
The APIs to implement traffic policies on a per-app basis just don’t exist on iOS. You can create a VPN connection and have an app manage all network traffic that way, but you can’t associate traffic with specific apps since this would run afoul of their sandbox. At least without jailbreaking.
I came here to ask a similar question, looking for alternatives to Lockdown Privacy on iOS/iPadOS. [1] I've been using Lockdown for some years as a local and system firewall to block trackers across all apps, but this company got sold a few years ago and has since been annoyingly and frequently pushing for its paid subscription. It also moved some free blocking lists to the paid subscription.
Any alternatives to Lockdown on iOS/iPadOS would be nice to know about.
While I'm normally not someone who pays for apps, and is annoyed at fdroid releases having paid features, I had such a fun time figuring out and bypassing the challenge/response part of the app (without just commenting it out and recompiling) that I decided to send €1.23 his way.
Afaik, this requires an active VPN connection. With GrapheneOS, there is a network toggle which disables the INTERNET access to any individual app so it doesn't make sense to use NetGuard
LineageOS doesn't really cut off the INTERNET access properly. Graphene's approach is more robust. I still wonder why such an important feature is not in the AOSP itself
> still wonder why such an important feature is not in the AOSP itself
Really? Remind yourself who works on Android. Google have been removing functionalities that benefit privacy for ever, and then put half backed alternative buried under tons of settings.
It can do other things. It can monitor network traffic and block ads within apps through multiple host files . Also having a single app to toggle is more UX friendly than toggling multiple apps network access.
Yeah there's no stats or traffic info, but until Android has a real way of using multiple VPN interfaces or exposes adding routes to users/apps, these VPN-based local tools are a no-go.
But in case the VPN app supports running as a simple proxy, without using the VPN service, you can avoid work profiles and just have NetGuard connect to it.
Software worth paying for. I bought a license for a Google free lineage os phone that I’ve since moved on from, but still use as a media and general purpose computing device.
The [DNS] resolver is deployed to Fly.io at max.rethinkdns.com
and Deno Deploy at rdns.deno.dev too,
apart from the default deployment on Cloudflare Workers.
There isn't anything sinister going on here with the use of "cloud services" [0][1]. Rethink, which is geared more towards anti-censorship, has its default resolver "ip-fronted" on Cloudflare (whose IPs are seldom blocked) and it works great in countries where the app is popular.
Users can opt to switch to any DoH, DoT, ODoH, DNSCrypt v3 resolver of their choice. In fact, we encourage users on our reddit/telegram groups to use ODoH (we also run a public-facing ODoH proxy) and DNSCrypt upstreams because of their privacy guarantees.
Installing NetGuard was revelation regarding the amount of tracking in most Android apps.
You can configure it to block access by default and notify you every time an app attempts a new connection. And it rings all the time.
Some software call home at 4am every day, other every hour, some send data to a dozen "analytics" services - services that I never opted-in for, which shows how few apps respect the RGPD.
At least most apps still work when those are blocked, and NetGuard allows you to block connections to Google servers except for Google Apps, which network firewalls and DNS solutions can't.
From the developer of FairEmail.
Every once in a while I consider making the switch to KeePassXC. I trust KeePassXC but I don't really trust the mobile apps so last time around I looked into NetGuard. It's really nice but it wasn't a good fit for my use case:
> NetGuard will do its best, but it is limited by the fact it must use the Android VPN service. This is the trade-off required to make a firewall which does not require root access. The firewall can only start when Android "allows" it to start, so it will not offer protection during early boot-up (although you can disable your network before rebooting). Also, the Android VPN service needs to be restarted to apply new rules when connectivity has changed or when the screen is being turned on or off. It will, however, be much better than nothing.
I believe that also means you can't use it with Tailscale or similar.
> I trust KeePassXC but I don't really trust the mobile apps
I'm using Keepass2Android Offline. It doesn't have the network permission, which for me adds a ton of trust already.
Of course there are other ways to infiltrate data too, but you can be only so paranoid if you want to get things done.
https://play.google.com/store/apps/details?id=keepass2androi...
> I believe that also means you can't use it with Tailscale or similar.
You sort of can. It can route over a socks5 proxy to the work profile where you can have a second VPN running. Wouldn't be an easy solution, but it can work
Would be curious to hear if anyone actually did (or attempted) this and have results to share.
I know I have experienced VPN leaks on Android (not the one they publically fixed as it was after). A second layer wouldn't fix that properly but it should make it less likely.
Here you go, a fairly detailed blog post about it: https://itsignacioportal.github.io/netguard-pdnsf-any-vpn-co...
Got this from a thread about Tracker Control, a NetGuard fork, and VPN chaining https://github.com/TrackerControl/tracker-control-android/is...
> better than nothing
Is "nothing" the only Android per-app outbound firewall alternative to NetGuard?
At the OS level LineageOS offers per-app network permissions, which I've used and functions as expected.
One quirk from what I understand of this ticket[1] is if there's a proxy set up via a separate internet allowed app it can bypass the restriction via that app. GrapheneOS' implementation is said to prevent this.
[1] https://gitlab.com/LineageOS/issues/android/-/issues/3228
I've been using Blockada for many years but that's a firewall against ads and trackers. No ads inside apps.
Ideally I would use NetGuard to block the apps and Blockada to block ads and trackers for the apps that I allowed to perform network traffic in NetGuard. But Android allows only one active VPN and they can't be chained, so it's a hard choice. Actually it's not so hard: I keep blocking ads and trackers.
NetGuard does ad-blocking with a DNS blacklist, but it's a Pro feature (which I use and works great).
Blockada is most likely a DNS level blocker, netguard supports that. Alternatively you can configure it to point the DNS servers at NextDNS if you just want a nice UI to configure block lists (though NextDNS might track you).
NextDNS as a manual DNS server on Android is the adblocking solution I've been using for years. Is there any reason to believe they would track you, any more than any other DNS provider?
No, if you have a rooted phone you can use AFWall+. And there are other non-root firewalls.
My favorite is another FOSS, but this one is special because it doesn't need network permissions. No root, ofc, so that sticks.
Karma Firewall https://f-droid.org/packages/net.stargw.fok/
Pcapdroid is a very good alternative that allows to see which connections are made from what app to what server and at what time.
You just leave it in background, check one day later and see what sneaky app you never thought of have been sending tons of data in the background.
For me it helped me remove and search alternative for 4 apps, including a pill reminder (mytherapy). I would never have thought the trade-off to be reminded to take vitamin would be to constantly spy on me and sell all my data. Had i known, I would have put a reminder in my calendar.
Except that... that doesn't block anything??
Its' really telling that Google doesn't offer an API to access a firewall which provides a clear list of connections and the apps which create them and a way to prohibit such specific connections, possibly also according to blacklists.
They really don't want users to have control over this.
AdGuard is also rootless, but in addition if you have root then it can install a system-wide certificate that enables it to decrypt HTTPS requests to do granular filtering (not just at the domain level). Basically just like uBlock does, except that it's system-wide and works in all apps[1].
[1] Except apps that pin their certificates. But you can exclude those or install another module[2] (not from AdGuard) which disables certificate pinning.
[2] For example: https://github.com/cryptoexpertssss/TrustMeAlready
This is really good. Using it on my Oculus to block connections to Facebook servers.
(On my phones, I use LineageOS which can manage network permissions per app right in app settings.)
I'm using netguard. It's really good, but conflicts with wireguard (another VPN I am using). It's because the firewall is realised using VPN API, when running netguard it uses VPN API to control the traffic
I am dreaming of an open-source app that adds Wireguard capabilities to NetGuard or vice-versa.
Having to switch from one to the other is very annoying.
especially that Wireguard silently disables NetGuard, and then the communication undergoes (at least in my case) silent
Does this show anything at all without purchases? I installed it and turned on notify on access and I have gotten no notifications so far.
Is there something like this for iOS? I know Adguard but it is not open source.
Lockdown claims to be open-source. Their appstore client has paid mode for per-app blocklists. I don't know if they support per-app allow lists.
https://github.com/confirmedcode/Lockdown-iOS
Something similar would be Proxyman: https://apps.apple.com/de/app/proxyman-network-debug-tool/id...
But it’s more designed to be a debug tool than to block traffic from specific apps
Something already included in iOS is App Privacy Report feature.
https://support.apple.com/en-us/102188
This doesn’t seem to show any site I browse in the DuckDuckGo app, which raises the question, if DDG can hide connections it makes from showing in privacy report, can any (more nefarious) app do the same?
https://github.com/AdguardTeam/AdguardForiOS
I am pretty sure it is open source. I’ve been using it for years both for upstream DNS and blocklist filtering.
Huh, didn’t know about the repo. Thanks for posting it here.
Isn’t AdGuard just dns protection (and Safari extension). Afaik something like this isn’t easily doable in iOS. Some options are:
* Shadowrocket - you can set complex rules on what hosts/connections should be routed by what, but afaik you are not able to isolate traffic on a per-app basis.
* I think you can set up per-app VPN on iOS, but you must use MDM, can’t do it on an unmanaged profile. Link: https://support.apple.com/guide/deployment/vpn-overview-depa...
> per-app VPN on iOS, but you must use MDM
Yet iOS allows Safari per-site VPN without enterprise MDM, via Apple Configurator profile.
The APIs to implement traffic policies on a per-app basis just don’t exist on iOS. You can create a VPN connection and have an app manage all network traffic that way, but you can’t associate traffic with specific apps since this would run afoul of their sandbox. At least without jailbreaking.
I came here to ask a similar question, looking for alternatives to Lockdown Privacy on iOS/iPadOS. [1] I've been using Lockdown for some years as a local and system firewall to block trackers across all apps, but this company got sold a few years ago and has since been annoyingly and frequently pushing for its paid subscription. It also moved some free blocking lists to the paid subscription.
Any alternatives to Lockdown on iOS/iPadOS would be nice to know about.
[1]: https://lockdownprivacy.com/
Only in China I believe.
Don't forget to periodicly update the hosts file: Settings -> Backup -> Download hosts file.
The creator also made XPrivacyLua (hooks Android API system calls to block premissions)
While I'm normally not someone who pays for apps, and is annoyed at fdroid releases having paid features, I had such a fun time figuring out and bypassing the challenge/response part of the app (without just commenting it out and recompiling) that I decided to send €1.23 his way.
is this the best available option on Android? Is there any alternative I should give a try?
Afaik, this requires an active VPN connection. With GrapheneOS, there is a network toggle which disables the INTERNET access to any individual app so it doesn't make sense to use NetGuard
> it doesn't make sense to use NetGuard
unless you use any other phone that is not a google pixel running GrapheneOS
Which is literally the meaning of "With GrapheneOS, [...] it doesn't make sense to use NetGuard", isn't it?
LineageOS has this too, and it’s available on a fair bit of non-Pixel phones.
LineageOS doesn't really cut off the INTERNET access properly. Graphene's approach is more robust. I still wonder why such an important feature is not in the AOSP itself
Hmm, I haven’t looked much into it, but I assumed they both expose the same mechanism from AOSP?
https://grapheneos.org/faq#firewall
> still wonder why such an important feature is not in the AOSP itself
Really? Remind yourself who works on Android. Google have been removing functionalities that benefit privacy for ever, and then put half backed alternative buried under tons of settings.
I am well aware of that. AOSP still has quite a lot of contributors outside of google
NetGuard allows you to block specific hosts. I use it on GrapheneOS for monitoring and selective host blocking.
It can do other things. It can monitor network traffic and block ads within apps through multiple host files . Also having a single app to toggle is more UX friendly than toggling multiple apps network access.
Running pihole as your home DNS is far more feasible for blocking ads and other intrusive requests. The UX perspective is a valid point
But that ties you down to connecting to a vpn every single time you leave home.
You can have a remote instance of pi hole, normally renting a cheap VPS
I use NetGuard on GrapheneOS to block mobile data for certain apps.
How does that compare to having filtering done by the VPN? Many VPN services tend to do that nowadays, right?
When you try to purchase pro features it should really display the price...
If you use a rootless firewall doesn't it act like a VPN? And then you aren't able to use VPNs unless you disable it? Useless IMO for heavy VPN users.
You can split the usage by profiles (e.g. work profile with Shelter[1]) or separate users.
1. https://f-droid.org/en/packages/net.typeblog.shelter/
AOSP has a pretty well functioning firewall, good enough that GrapheneOS implements and builds on it.
https://grapheneos.org/faq#firewall
Yeah there's no stats or traffic info, but until Android has a real way of using multiple VPN interfaces or exposes adding routes to users/apps, these VPN-based local tools are a no-go.
How do you use this if you already have an always-on VPN enabled?
You cant. It complains that some other VPN is already running.
There's a somewhat complex way to use it together with another VPN app, with work profiles, see see https://itsignacioportal.github.io/netguard-pdnsf-any-vpn-co...
But in case the VPN app supports running as a simple proxy, without using the VPN service, you can avoid work profiles and just have NetGuard connect to it.
Software worth paying for. I bought a license for a Google free lineage os phone that I’ve since moved on from, but still use as a media and general purpose computing device.
Similar but open source: https://github.com/celzero/rethink-app
> similar but open source
Netguard (per HN title) is open-source GPLv3: https://github.com/M66B/NetGuard
Rethink uses cloud services by default?
rdns dev here
> Rethink uses cloud services by default?
There isn't anything sinister going on here with the use of "cloud services" [0][1]. Rethink, which is geared more towards anti-censorship, has its default resolver "ip-fronted" on Cloudflare (whose IPs are seldom blocked) and it works great in countries where the app is popular.
Users can opt to switch to any DoH, DoT, ODoH, DNSCrypt v3 resolver of their choice. In fact, we encourage users on our reddit/telegram groups to use ODoH (we also run a public-facing ODoH proxy) and DNSCrypt upstreams because of their privacy guarantees.
[0] If anything, hosting it cost us a bomb: https://old.reddit.com/r/rethinkdns/comments/17h2y6r / https://archive.md/slpZ9
[1] Our stub resolvers are open-source & "open deploy" (ie deploy straight from github actions): https://github.com/serverless-dns/serverless-dns/actions/
FWIW, Netguard's UI feels like one of an average opensource mobile app, while Rethink is a very polished experience. Well done!
Right, I saw their pro features listed and skipped over the oss mention.
Yes rethink uses public fly resolver by default but you can self host that as well. Apologies, that's something I should have mentioned.
https://github.com/serverless-dns/serverless-dns