This is not the system-level firewall we’ve been waiting for
With the first Android 12 developer preview expected to take effect next month, there’s still a lot we do not know about Google’s next major OS update. Digging through the Android Open Source project can reveal just as much, since most of the code base of Android 12 is not public. Yet we sometimes see evidence of new Android features in AOSP, though this is often not very exciting. The latest feature we noticed, internally called “restricted network mode”, unfortunately does not offer the configurable firewall we had hoped for, but it does have some interesting consequences.
A handful of connections merged with AOSP describe the new feature for restricted network modes. Google has created a new firewall chain – a set of rules that the Linux iptables program follows to allow or block network traffic – to support restricted network mode. If this mode is enabled via a setting, only applications that have the CONNECTIVITY_USE_RESTRICTED_NETWORKS permission may use the network. As this permission can only be granted to privileged system applications and / or applications signed by the OEM, it means that access to the network will be blocked for all applications installed by the user. Effectively, this means that you will still receive push notifications from Firebase Cloud Messaging (FCM) apps, as these notifications are sent through the privileged Google Play Services app, with the required permissions, but no other app – except a handful other system programs – can send or receive data in the background.
We do not know where Google will place a restricted network mode switch in Android 12. We know that it can be dialed during runtime and programmatically queried with a shell command, just like Android’s Data Saver feature, but we do not know if Google intends to allow users to create their own permission / block list of programs. It would be great if Google added a user-oriented settings page to restrict internet access per app, so users don’t have to rely on apps like NetGuard that use the VPN API of Android; there is nothing wrong with the operation of these applications, but it can rarely prevent them from being killed by bad OEM software.