NetGuard – rootless Android outbound per-app OSS firewall, like LittleSnitch

Posted by transpute 10/24/2024

NetGuard – rootless Android outbound per-app OSS firewall, like LittleSnitch(netguard.me)

253 points | 136 commentspage 2

microflash 10/24/2024|

Is there something like this for iOS? I know Adguard but it is not open source.

transpute 10/24/2024||

Lockdown claims to be open-source. Their appstore client has paid mode for per-app blocklists. I don't know if they support per-app allow lists.

https://github.com/confirmedcode/Lockdown-iOS

alibert 10/24/2024|||

Something already included in iOS is App Privacy Report feature.

https://support.apple.com/en-us/102188

halfcat 10/24/2024||

This doesn’t seem to show any site I browse in the DuckDuckGo app, which raises the question, if DDG can hide connections it makes from showing in privacy report, can any (more nefarious) app do the same?

zuhsetaqi 10/24/2024|||

Something similar would be Proxyman: https://apps.apple.com/de/app/proxyman-network-debug-tool/id...

But it’s more designed to be a debug tool than to block traffic from specific apps

quaff 10/24/2024|||

https://github.com/AdguardTeam/AdguardForiOS

I am pretty sure it is open source. I’ve been using it for years both for upstream DNS and blocklist filtering.

microflash 10/24/2024||

Huh, didn’t know about the repo. Thanks for posting it here.

radicality 10/24/2024|||

Isn’t AdGuard just dns protection (and Safari extension). Afaik something like this isn’t easily doable in iOS. Some options are:

* Shadowrocket - you can set complex rules on what hosts/connections should be routed by what, but afaik you are not able to isolate traffic on a per-app basis.

* I think you can set up per-app VPN on iOS, but you must use MDM, can’t do it on an unmanaged profile. Link: https://support.apple.com/guide/deployment/vpn-overview-depa...

transpute 10/24/2024||

> per-app VPN on iOS, but you must use MDM

Yet iOS allows Safari per-site VPN without enterprise MDM, via Apple Configurator profile.

varenc 10/24/2024|||

The APIs to implement traffic policies on a per-app basis just don’t exist on iOS. You can create a VPN connection and have an app manage all network traffic that way, but you can’t associate traffic with specific apps since this would run afoul of their sandbox. At least without jailbreaking.

newscracker 10/24/2024|||

I came here to ask a similar question, looking for alternatives to Lockdown Privacy on iOS/iPadOS. [1] I've been using Lockdown for some years as a local and system firewall to block trackers across all apps, but this company got sold a few years ago and has since been annoyingly and frequently pushing for its paid subscription. It also moved some free blocking lists to the paid subscription.

Any alternatives to Lockdown on iOS/iPadOS would be nice to know about.

[1]: https://lockdownprivacy.com/

saagarjha 10/24/2024||

Only in China I believe.

udev4096 10/24/2024||

Afaik, this requires an active VPN connection. With GrapheneOS, there is a network toggle which disables the INTERNET access to any individual app so it doesn't make sense to use NetGuard

str3wer 10/24/2024||

> it doesn't make sense to use NetGuard

unless you use any other phone that is not a google pixel running GrapheneOS

palata 10/24/2024|||

Which is literally the meaning of "With GrapheneOS, [...] it doesn't make sense to use NetGuard", isn't it?

notpushkin 10/24/2024|||

LineageOS has this too, and it’s available on a fair bit of non-Pixel phones.

udev4096 10/24/2024||

LineageOS doesn't really cut off the INTERNET access properly. Graphene's approach is more robust. I still wonder why such an important feature is not in the AOSP itself

notpushkin 10/24/2024|||

Hmm, I haven’t looked much into it, but I assumed they both expose the same mechanism from AOSP?

udev4096 10/24/2024||

https://grapheneos.org/faq#firewall

aucisson_masque 10/24/2024|||

> still wonder why such an important feature is not in the AOSP itself

Really? Remind yourself who works on Android. Google have been removing functionalities that benefit privacy for ever, and then put half backed alternative buried under tons of settings.

udev4096 10/24/2024||

I am well aware of that. AOSP still has quite a lot of contributors outside of google

immibis 10/24/2024||

Which company decides which contributions get accepted?

wanderingmind 10/24/2024|||

It can do other things. It can monitor network traffic and block ads within apps through multiple host files . Also having a single app to toggle is more UX friendly than toggling multiple apps network access.

udev4096 10/24/2024||

Running pihole as your home DNS is far more feasible for blocking ads and other intrusive requests. The UX perspective is a valid point

prmoustache 10/24/2024||

But that ties you down to connecting to a vpn every single time you leave home.

udev4096 10/24/2024||

You can have a remote instance of pi hole, normally renting a cheap VPS

attendant3446 10/24/2024|||

NetGuard allows you to block specific hosts. I use it on GrapheneOS for monitoring and selective host blocking.

saint_yossarian 10/24/2024||

I use NetGuard on GrapheneOS to block mobile data for certain apps.

brinerustle 10/28/2024||

I am very happy with IodéOS (a privacy-focused OS based on Lineage) as it has a per-app firewall and adblocker built into the OS. A major drawback of "stock android" is that google itself has elevated privileges, which is a strong argument for degoogling android at the OS level. Until recently, it has been pretty difficult to find a degoogled OS for a given device, (less than 1%) but now with GSIs it's getting better: https://blog.iode.tech/what-are-gsis-and-how-to-install-them...

achristmascarl 10/24/2024||

After seeing the post[0] yesterday about how much surveillance can be done using mobile app data that can be bought online by pretty much anyone... I am very happy to learn about NetGuard today.

[0] https://news.ycombinator.com/item?id=41923931

willywanker 10/31/2024||

Better off disabling advertising components, which of course needs root. There's tools like AppManager for that - https://github.com/MuntashirAkon/AppManager/

user070223 10/24/2024||

Don't forget to periodicly update the hosts file: Settings -> Backup -> Download hosts file.

The creator also made XPrivacyLua (hooks Android API system calls to block premissions)

kyleee 10/24/2024||

Software worth paying for. I bought a license for a Google free lineage os phone that I’ve since moved on from, but still use as a media and general purpose computing device.

sheerun 10/24/2024||

LineageOS is fine for me, just I wish I could restrict connections to some ip ranges somehow, like allowing only 10.x.x.x in/out connections from given app on os level

stevenhuang 10/24/2024||

Similar but open source: https://github.com/celzero/rethink-app

transpute 10/24/2024||

> similar but open source

Netguard (per HN title) is open-source GPLv3: https://github.com/M66B/NetGuard

Rethink uses cloud services by default?

  The [DNS] resolver is deployed to Fly.io at max.rethinkdns.com 
  and Deno Deploy at rdns.deno.dev too, 
  apart from the default deployment on Cloudflare Workers.

ignoramous 10/24/2024|||

rdns dev here

> Rethink uses cloud services by default?

There isn't anything sinister going on here with the use of "cloud services" [0][1]. Rethink, which is geared more towards anti-censorship, has its default resolver "ip-fronted" on Cloudflare (whose IPs are seldom blocked) and it works great in countries where the app is popular.

Users can opt to switch to any DoH, DoT, ODoH, DNSCrypt v3 resolver of their choice. In fact, we encourage users on our reddit/telegram groups to use ODoH (we also run a public-facing ODoH proxy) and DNSCrypt upstreams because of their privacy guarantees.

[0] If anything, hosting it cost us a bomb: https://old.reddit.com/r/rethinkdns/comments/17h2y6r / https://archive.md/slpZ9

[1] Our stub resolvers are open-source & "open deploy" (ie deploy straight from github actions): https://github.com/serverless-dns/serverless-dns/actions/

justmarc 10/24/2024|||

FWIW, Netguard's UI feels like one of an average opensource mobile app, while Rethink is a very polished experience. Well done!

miroljub 10/24/2024|||

> rdns dev here

I have a question for you about RethinkDNS:

Can you point me the link to one thread or question about Netguard on some major internet forums like HN, Reddit or similar, where you or other RethinkDNS devs did not jump in and hijacked the thread? Only one example, please?

Your spammy marketing tactics of spamming makes your product looks like a scum, and I don't even have a desire to test.

Also, why do you keep comparing one on device firewall like Netguard with a cloud first solution like RethinkDNS?

ignoramous 10/24/2024||

> hijacked the thread

I (try and) mostly only respond to subthreads that mention Rethink.

> why do you keep comparing one on device firewall like Netguard with a cloud first solution like RethinkDNS

Rethink isn't cloud-first.

> where you or other RethinkDNS devs

There's 2 of us. The other one isn't on HN, or reddit, or any other forum.

> spammy marketing tactics of spamming makes your product looks like a scum

I'm sorry you think that.

stevenhuang 10/24/2024|||

Right, I saw their pro features listed and skipped over the oss mention.

Yes rethink uses public fly resolver by default but you can self host that as well. Apologies, that's something I should have mentioned.

https://github.com/serverless-dns/serverless-dns

orbisvicis 10/25/2024||

I tried Rethink for the day.

I had previously set Android's private DNS to dns.adguard-dns.com, which didn't block anything.

Rethink's battery usage is 15 - 20% on my pixel in logging mode.

It definitely works, but I can't seem to associate blocked requests with apps, which renders it far less useful.

Overall I think it's a very busy UI.

You definitely want to exclude Firefox with uBO as elsewise Firefox behaves as though the network is down, whereas with uBO you can interactively choose to proceed.

I see there is an option to download the block lists locally. Does that mean it no longer uses DNS blocking? I see it described as a DNS blocker but it requires a VPN.

Anyway, off to try a Adaway next.

ignoramous 10/28/2024||

> Rethink's battery usage is 15 - 20% on my pixel in logging mode.

This is unusually high. It doesn't cross 3% on my Android, but I'm using a version (v055o( that's yet to launch (but will in a week or so).

If you only need DNS based blocking, tap on the down-arrow next to the STOP/START button and choose DNS-only mode. That should bring down battery use to 1% or so.

> but I can't seem to associate blocked requests with apps, which renders it far less useful.

Rethink most definitely can. Make sure to turn OFF Private DNS (instead of setting it to Opportunistic or Automatic).

Ex A: https://mastodon.social/@tuxicoman@social.jesuislibre.net/11...

Ex B: https://mastodon.social/@33dBm@lazysocial.de/112051004405969...

> ...download the block lists locally. Does that mean it no longer uses DNS blocking

If you download the blocklists locally, then you can set those on your device, and use any DNS upstream (DoH/DoT/DNS53/DNSCrypt/ODoH) and the rules should be applied, regardless.

calvinmorrison 10/24/2024|

NetGuard is amazing. Whats disgusting is that android has so many permissions controls EXCEPT network access! it's insane and its because its just a data vacuuming device.

More comments...