Android Question Is a firewall good enough?

[JohnC]

I have a question for anyone who really understands how android works at a low-level...

I use a firewall app to prevent certain apps from "calling home" on my device because the firewall should be blocking any *direct* outgoing connections an app attempts to make from my phone.

But are there other ways an app can send data "out" of the phone even though a firewall is blocking it from accessing the internet?

For example, is it possible for an app to use certain google services to send data out of the phone by calling a play services API (like firebase messaging or analytics) and send data to some external server because the firewall is not blocking the play services framework?

I am interested in hearing any ways you can think of on how to send data even when the app itself is blocked by a firewall on the device.

 

[Sandman]

I have a question for anyone who really understands how android works at a low-level

That's not me, sorry. But I did get curious and wondered if you could briefly explain why it is so important to stop these apps from communicating with the outside?

 

[Num3]

For example, is it possible for an app to use certain google services to send data out of the phone by calling an play services API (like firebase messaging or analytics) and send data to some external server because the firewall is not blocking the play services framework?

That is a possible attack vector, but probably goes against google policies.
Anyway, any app that is allowed to communicate "outside" of the local Lan can send data out (the supposed kind or the other type). No firewall or proxy can block that.
The only way to prevent it is by disabling internet connectivity. No net, no data

 

[MikeSW17]

Apps that are designed to communicate over the internet obviously won't function at all/only partially, if blocked.
Apps that are designed to be stand-alone won't try to communicate.
That leaves the question of "Why does one want to block some apps?"
If they're Apps you've written, obviously you code them without communication features.
If they're other peoples apps, what is the intent to circumvent some feature(s) those apps?

 

[JohnC]

OK, here are two examples of why I use a firewall to block certain apps:

1) I don't want my photos being uploaded to google's cloud and categorized, indexed and possibly made accessible to unwanted eyes either through some "feature" being accidentally turned on or via a hack.

So, I turn off the "Sync Photos" feature in google photos. But on more then one occasion I have caught google apps mysteriously "turn on" features that I specifically turned off (especially in google messages).

Yes, I can simply freeze or uninstall google photo's, but since it is tightly integrated with the camera app on my phone, that is not an option.

So, I simply block internet to the photo's app - making it impossible for the app to "sync" any photo's to the cloud - Problem solved.

2) I bought a cool $50 smartwatch on amazon (I'd rather accidentally scratch up a $50 watch then a $300 samsung watch) that does what I need: Measures heart rate, steps, , displays notifications, tells me who's calling - all while my phone is in my pocket. It uses a "companion" app on my phone to do these things, but the developer of this companion app is not a well-known company.

But in order to display the name of who's calling me, the companion app needs access to my contacts lists, and to display notifications or SMS messages, it needs access to my notifications and SMS messages - all of which contain sensitive data that I don't want to be uploaded from my device.

I have no problem giving an app access to private data as long as that data doesn't leave the app - using a firewall helps makes sure it doesn't.

And even though this companion app needs internet access to download new watch "faces", when I want to download a new watch face, I simply revoke the contacts, SMS, notifications permissions and enable the app in the firewall for the 1-2 minutes needed to download the watch face, then return the permissions so the app can run properly.

When using a firewall, you no longer have to "trust" that an app is not uploading your data - I simply sandbox it so it can't.

Basically, any app that doesn't specifically need internet access, like a weather app or a browser, I block with the firewall.

Surprisingly, most apps who's main function does not need internet access will run fine without it.

Other apps I block:

Gboard - so anything in my clipboard (like passwords) are not sent back to google servers as meta data "to help improve gboard".
Games - as a bonus, most games (not all) will not display ads if they dont have internet access.

I hope this helps clear up why I use a firewall.

 

[Sandman]

I hope this helps clear up why I use a firewall.

Very much so, thanks. It seems this is for your personal phone more than something you're developing? In that case I imagine you might have better luck if you install an Android fork where people have spent a lot of effort in prying away Google's tight grip on the phone. (Or perhaps PostmarketOS, but that might not work with the apps you prefer.)