NetGuard Gives You Back Control Over Apps’ Internet Access, Without Root!

We may earn a commission for purchases made using our links.

One of the changes introduced with Android Lollipop (5.0) was the removal of the dedicated Internet permission on Android. At the time, there was some attention drawn to the changes, but users were still free to use root access to install a firewall, and block individual apps.

Obviously, this wasn’t much help for those not wanting to root, but that was the way things were. Since then, however, Marshmallow looks set to make life much harder for rooted users.

XDA Recognized Developer, M66B, known for his work on the highly popular open source privacy protection tool XPrivacy, has now created a no-root-required application to give you back control over which of your apps may access the internet. Using his latest application, you can selectively block applications from having internet access on your device. This puts you, the user, back in control of which apps may access the internet, and allows you to decide for yourself what actually needs access to the internet.

This kind of lateral thinking is what we desperately need more of, as root is going to be more complex with Marshmallow

NetGuard for Android is a no-root firewall solution for Android, offering control over which apps may access the internet, without causing any breakage of apps (short of them thinking your internet connection isn’t very good!). NetGuard offers control over both WiFi and cellular data networks separately, also potentially making it useful for taming unruly apps that munch rapidly through a (capped) cellular data package.

NetGuard offers a simple user interface, where you can easily block or allow an application access to a particular type of network. A green icon indicates that an app is allowed access, and an orange/red icon indicates that it is blocked. It’s not hugely configurable, but that’s perhaps a blessing – it took me about 2 minutes to install NetGuard, and get it working. Just remember to toggle the orange switch in the top bar to the “on” position (to the right) to enable the firewall itself.

In a future of less root, this kind of innovation can only be a good thing in making it easier for users to customise their devices

Once you have enabled the firewall, M66B has gone to great effort to ensure that it doesn’t cause any battery drain, or affect device performance. Indeed, as the app uses the VPN API internally (don’t worry, it has no internet access, and the source is fully available), it’s pretty versatile – it supports IPv4 and IPv6, and both TCP and UDP protocols. What makes NetGuard stand out from other no-root firewalls is that it has been designed to be as minimal as possible, carrying out as little traffic handling as the developer could get away with.

By not implementing handling for the actual messages, it is possible for much better battery life, compared to firewalls which have to implement and decode TCP packets on-the-fly, even while the device is asleep. Instead, NetGuard uses the VPN API to “sinkhole” traffic from certain applications, since Android allows for certain applications’ traffic to be “forced” through the VPN. The VPN then simply discards all packets, giving you a way to control data egress from your phone on a per-app basis.

What is interesting here is the approach taken by the developer – I worked with him on designing the initial concept, as the idea of an open-source root-free firewall was something I thought was great. We initially discussed the idea of blocking IP addresses and similar, and he even carried out experiments to look at how to implement TCP efficiently in a Java service, to handle packets, and made a working proof of concept.

“NetGuard is interesting as it could be the start of a movement to bring about innovative solutions to problems which conventionally required root” During this process though, we found that in order to differentiate between traffic from different apps, it was necessary to make use of undocumented access to files on the kernel’s “proc” filesystem, to translate processes into application UIDs. This access could easily be blocked in future versions of Android by SELinux, and may well even be blocked in some more security-oriented devices – we can’t be sure without testing them all!

Either way, it was this stumbling block which led to the discovery of the VPN API giving control over application access, which led to NetGuard, as seen today.

While there have been other open-source firewalls available for Android, including the iptables-based AFWall+, these typically required root access. With the challenges of getting (and keeping) root on more recent devices, it’s clear there is a growing number of users willing to forego root on Marshmallow, and try to live without root. It is for this reason that NetGuard is potentially most interesting; it could be the start of a movement to bring about innovative solutions to problems which conventionally required root. In a future of less root, this kind of innovation can only be a good thing in making it easier for users to customise their devices. On a personal note as well, I think this kind of lateral thinking is what we desperately need more of – root is going to be more complex with Marshmallow, and many users are less keen to root their device, yet still want customisations and features. Maybe it’s time to take a look at some root-only feature, and think outside the box a bit, and see if there’s an innovative way to get around that, and make it possible on a stock, unmodified device?

What other non-root solutions do you wish existed? Let us know below!