What does an Android firewall actually do? Is it worth it? And how does it even work? We show what is possible, what is not and what you need for it. You will also see step by step how to use the free NetGuard app - no root access is required!
What is the firewall doing?
A firewall is a matter of course on a Windows computer. Either Windows' own variant is running or the firewall component of an installed security suite is running. The purpose of such a firewall is to block unwanted access to and from the Internet. Originally, they were primarily intended to protect against external threats, but now end-user firewalls primarily protect against data leakage - especially on smartphones..
Perhaps you are familiar with firewalls from earlier than this annoying software that asks every few minutes whether this or that should be allowed. Nowadays you are rarely bothered with such inquiries. And on Android, the whole thing works a little differently anyway, so that you have nothing to do with the protection in everyday practice. In short: just specify which apps can and cannot access the internet - plus a little more, but more on that later.
A firewall on the smartphone is quite a useful thing, not a nuisance, to get it for free and even runs on non-rooted devices. In the video, c't editor Ronald Eikenberg explains how the firewall enables you to control Android apps..
Internet access for apps can be controlled with a firewall. requirements
Probably the best known Android firewall is AFWall + . This uses the "iptables" common in Linux and allows a lot of detailed settings. As with many tools, especially from the security area, a rooted Android is necessary for this. If that doesn't mean anything to you: "rooting" means configuring the smartphone so that you get admin rights (root). In other words, what happens when you are asked whether you want to start the program with admin rights after starting the program under Windows. Depending on the model, rooting is somewhat time-consuming to extremely complicated - and brings with it new security risks. For normal consumers, this is simply not an option that is suitable for everyday use.
Among the few no-root firewalls , as they are often called, NetGuard is arguably the best solution. There are only two prerequisites that should be met in most cases: Android must be running version 5 or later and the smartphone must not be constantly connected via a virtual private network (VPN) . NetGuard uses a VPN itself and Android does not allow multiple VPNs at the same time..
Use NetGuard
Install NetGuard
The good thing about NetGuard: It's an open source app and therefore free and the source code is open. And as it should be, you can get NetGuard via Github or, more conveniently, via F-Droid . But: NetGuard also offers some in-app purchases for additional functions. And they only and exclusively work in the NetGuard version from Google Play. To get all the additional functions, you have to pay 8.99 euros - but most of it is only for convenience. The Pro function "Filter network traffic" is really useful for around 4 euros. This means that not only certain apps, but also only certain Internet addresses can be blocked. An app could still have the "desired" Internet access, but should no longer contact an advertising server or your home, for example. The money is well invested, but on the one hand the Pro configuration is associated with some effort, which is not so easy to achieve, at least for laypeople. On the other hand, NetGuard is already very useful:In order to monitor which apps are actually establishing connections and to actually completely withdraw online access from offline apps.
As already mentioned, NetGuard uses a VPN. This means that all Internet traffic is routed through NetGuard's internal VPN - this is the only way a firewall without root seems possible. For Android it will later look as if NetGuard is eating up huge amounts of power and bandwidth - but it is not! It is still the apps themselves that need their resources, so don't worry if NetGuard has obscure high values.
The installation of NetGuard is very simple at first: Install as usual via Google Play or F-Droid. When starting NetGuard for the first time, you must do two things: First, you must - of course - grant extensive rights . On the other hand, NetGuard would like you to switch off the power saving functions for NetGuard . Open the settings linked in the note, select " All apps " at the top , tap on NetGuard in the app list and deactivate the function. The main screen then greets you with all sorts of information boxes. Once you close them all, NetGuard is ready to go to work.
Before rights are checked, NetGuard first needs some itself. Use NetGuard
First switch on NetGuard at all using the button in the top left. However, NetGuard is still doing nothing. You can use two modes: With blacklisting (standard) everything is allowed - so you have to block apps first . In the settings you can deactivate all data traffic via WLAN and / or cellular network under " Standard settings" - and then allow individual apps. To get warm you should first play around with the normal whitelisting mode and generally without any further settings.
The main screen will show you a list of installed apps. Even those without the "Internet access" authorization. Why? Apps can communicate via other (system) apps; Notifications run, for example, through a Google application. You can block cellular and WiFi data directly in the list using the two icons on each app. If you tap on an app, you get further options: Here you can unblock the screen when the screen is switched on, so that apps at least do not radio home from your pocket or handbag. (Unfortunately, exceptions for apps in the foreground are technically not possible.) In the event that you are in roaming mode, an additional block can be set. Then there is the exception for " restricted access mode " ": This mode can be activated directly in the app menu and simply blocks everything - perfect for temporarily completely" data muting "the smartphone or to save battery.
You can set exceptions for individual apps. Tip: You will find the " Configure " button under " Access attempts " for every app . However, these are global settings: You can activate the logging of allowed / blocked addresses here. Although this costs electricity and may slow down the speed a little, it provides a lot of interesting information that can help with the configuration. You can then see for each app which addresses have been accessed at all. Filter network traffic with the pro feature mentioned above "At this point, you can decide which of these addresses should be blocked and which should be allowed. If the media app Plex contacts a Facebook address, for example, one could assume that this is not necessary to watch a film on the home NAS ... If you were to block Plex completely, the app would no longer work because an online Plex account is used for the connection.
Unfortunately, there is a fee: Allow "good" IPs, block "bad" IPs. Work in progress ...
Firewalls are not one-click security solutions, they have to be configured piece by piece. Even if only apps, not individual IPs, are filtered. NetGuard offers many options and we can only recommend clicking through the menus completely. Under " Advanced options " you can, for example, activate the display of system apps. Then, for example, the following possibility would open up: You could look up which of the many, many Google services on the smartphone are necessary for Google Play to work and deactivate all other Google applications. NetGuard can take a long time, but it's also worth it.
And therefore a final tip: You can import and export your settings under " Settings / Backup ", so you do not have to set up each smartphone or tablet separately.
The pro functions such as the IP protocol can be obtained individually.