It’s not the system-level firewall we’ve been waiting for
With the launch of the first Android 12 Developer Preview expected next month, there is still a lot we don’t know about the next major update to Google’s operating system. Exploring the Android Open Source Project can only reveal a lot, since most of the Android 12 code base is not public. Still, we sometimes see evidence of new Android features in AOSP, although they are generally not very interesting. The last feature we saw, internally called “restricted network mode”, unfortunately does not provide the configurable firewall that we expected to see, but it does have some interesting implications.
A handful of commits merged with AOSP describe the new feature of restricted network mode. Google has created a new firewall chain – a set of rules that the Linux iptables utility follows to allow or block network traffic – to support restricted network mode. When this mode is enabled through a configuration, only applications that have the CONNECTIVITY_USE_RESTRICTED_NETWORKS permission will be allowed to use the network. Since this permission can only be granted to system applications with privileges and / or applications signed by the OEM, this means that network access will be blocked for all applications installed by the user. This effectively means that you will still receive push notifications from applications that use Firebase Cloud Messaging (FCM), as these notifications are forwarded through the privileged Google Play Services application that has the necessary permission, but no other applications – except for some other applications in the system – can send or receive data in the background.
We are not sure where Google will place a switch to restricted network mode on Android 12. We know that it can be switched at run time and consulted programmatically through the shell command, much like Android’s Data Saver feature , but we don’t know whether Google plans to allow users to make their own app whitelist / block. It would be huge if Google added a user-facing settings page to restrict Internet access by application, so that users don’t have to rely on applications like NetGuard that use the Android VPN API; there is nothing wrong with the way these applications operate, but there is little that prevents them from being eliminated by bad OEM software.