Android exposes a soft VPN API that firewall apps can use to block network traffic for certain apps in certain scenarios (say, no Google Play updates when on mobile data) with apps like Netguard [1].

Does iOS not expose such functionality? Surely there's some kind of VPN API?

[1]: https://github.com/M66B/NetGuard

> Android exposes a soft VPN API that firewall apps can use to block network traffic for certain apps in certain scenarios (say, no Google Play updates when on mobile data) with apps like Netguard.

I worked on AOSP for longer than I care to admit. This is mostly an illusion. System apps (like Google Play) can pretty much do whatever the heck it is that they want to. NetGuard, sure, "firewalls" it... but it wouldn't even know if a system app bypassed its tunnel. For installed apps, NetGuard is golden (as long as NetGuard itself doesn't leak).

disclosure: I co-develop a FOSS NetGuard alternative (and yes, this alternative has similar limitations).

Interesting, and disappointing. Do you happen to know what mechanism is used to bypass the VPN configuration?

I'm using my VPN as a Pihole tunnel and I don't notice any extra logs or requests when I turn off the VPN, but I may just be lucky. I did purge a lot of preinstalled Facebook crap…

It isn't that System Apps actively bypass the VPN tunnel, but they can if they want to, on-demand [0]. That is, System Apps retain the ability to bind to any network interface. Whether they do so, is anyone's guess.

For installed apps, there's no such respite, iff one enables 'Block connections without VPN' (the VPN lockdown mode) on Android 10+ (but NetGuard doesn't support it). This means in the times when NetGuard crashes or restarts (which it does on network changes, for example, or even on screen-off/screen-on, from what I recall), there's a chance the traffic flows through underlying interfaces rather than the tunnel (because the tunnel simply doesn't exist in the interim).

Datura (ebpf based) on CalyxOS and AfWall+ on any rooted Android can block out everything it pleases, though.

I don't mean to downplay NetGuard, because the codebase has evolved in response to years of addressing flaky networks, flawed apps, buggy Android forks. Marcel, the lead developer, has put his life's work into it and gave it away for free. The app I co-develop is, in fact, inspired from his efforts.

[0] https://github.com/celzero/rethink-app/issues/224

I see, thank you for explaining! Good to know that rooting your phone still has some benefits. I wouldn't have thought that there's such an easy bypass for system apps, but I suppose it makes sense for some modem/carrier apps to specify an interface.

I absolutely love Netguard even though I don't really use a firewall in practice (I was sort of hoping a permanent VPN with some "real" traffic meddling would be enough to block most violations of my privacy). It's the one rootless firewall that actually just works on practically any device you can think of, among a sea of broken/scammy firewalls that fail all kinds of edge cases.

> It's the one rootless firewall that actually just works on practically any device you can think of, among a sea of broken/scammy firewalls that fail all kinds of edge cases.

You should try the one I am building (: Promise, no scams in that one: https://f-droid.org/packages/com.celzero.bravedns/

Android has app system level options in the settings to disable WiFi/mobile data.

I tend to use that, and use Netguard as a fallback because the latter has an off by default config incase I forget to disable it for new apps.

Netguard on its own is insufficient because sometimes you'd need to use an actual VPN (which turns off Netguard)

I've had those options on multiple OnePlus phones, but they were not present on multiple Pixels. Since Pixels are usually sold as "AOSP experience with Google flavor" are lacking this feature - I am not sure if that is that feature comes from AOSP or is only present on OnePlus phones.

I've generally found them on most Android phones, but they're all over the place in the settings. On my current phone they're not in permissions, or connections, or internet setup, or security, but they're in the app details screen.

I've also seen the toggles placed in the data usage graph, the other, older data usage graph you can sometimes find via a workaround, and in a separate app that pretends to be one of those system storage optimizers.

I'm sure Android supports it at the system level but how you get to those settings is anyone's guess, really.

iOS has APIs for VPNs and “content blockers”. But as far as I know, such a filter has no access to know which process/application is trying to make a connection. Little Snitch on macOS has to install code into kernel space. (Or at least it used to; I have not reinstalled in a long time.)

The Android app you link to seems to have the functionality I think should exist as a built-in. It needs to be built-in so that non-geeks can use it.

Just as users are asked the first time an application attempts to use the microphone and are able to prevent it before it starts, they should be able to limit network access and revoke it at any time.

(I don’t think users should be necessarily be forced to approve Internet access for every app install. Just make it possible to revoke in the global Settings widget and encourage users to think about personal data and Internet access being mutually exclusive.)