This is great but too big of a hammer for most use cases. What I really want is a per-application firewall.
For example, say I would like to install a photo editing application. It would need access to my photos. That is fine, so long as it is not allowed to connect to the Internet (or any other network). There is currently no way to ensure this.
> This is great but too big of a hammer for most use cases.
This is not in any way intended for most use-cases, it's very clearly intended for a single, specific, uncommon use-case. The press release says as much more than once.
I guess my point is that instead of making a special mode that is only useful for a minority of users, it would have been really nice to get a feature that everybody should be thinking about and using.
Different people who specialize in different aspects of security can be working on different things at the same time; and contrariwise, experts have comparative advantages and would be mostly wasting their time working outside their nich.
In other words: there's no "instead" here, any more than there's an "instead" between e.g. UI work and backend server work. Different people, different competencies, concurrent capacity.
Every time I have allocated labor on a software project, I was mostly playing a zero-sum game. I am surprised to learn that Apple does not have such problems.
Regardless, I was just lamenting that we don't (yet) have a feature that should be table stakes at this point.
Agreed. I wish iOS had a "network access" permissions just like Android does. (Though to avoid permission fatigue for the average user, perhaps make it something only users that care can deny)
That said, I think this is pretty unrelated to protecting yourself from nation state actors. Mercenary spyware (like NSO) doesn't use a legitimate app store app as their initial infection point. I can think of many reasons for this: difficulty getting target to install it, app store approvals, leaking their 0days, leaving more of a paper trail, and avoiding scrutiny in general, etc. I'd of course love this feature for my own data privacy of course.
It's not exposed in the UI, but if you really care, you can just create yourself a configuration profile that disables various per-app permissions (including network access, per-domain/per-IP/per-certificate) on a fairly fine-grained basis. MDM yourself.
> (Though to avoid permission fatigue for the average user, perhaps make it something only users that care can deny)
Yeah, I would not want to have to approve every app. What I would like is a machine readable description of the app's capabilities to include Internet access, just as is required for access to the microphone or photos. This would encourage app developers to advertise to users that they don't need such capability and encourage users to realize that privacy and Internet access are mutually exclusive.
There are many small apps I simply will not buy/install (e.g., apps for editing photos or contacts or calendars) because they cannot be trusted. Even if you trust the developer, the developers are often embedding third party analytics libraries that cannot be trusted.
I'd go a step further, and say per-application virtualization. Every single program running its own (ideally encrypted memory) namespace, with its own assigned memory, etc.
That's what the ios sandbox provides. Heck, the tools arm64 gives you to isolate VMs are awfully similar to the tools they give you to isolate processes. VM escapes aren't too different than sandbox escapes.
Encrypted memory isn't part of arm yet, I was holding out hope with armv9 "realms" but not so.
I use little snitch for this, but I agree, a big hammer, and likely more hoops for regular developers to jump through. Notarisation, signing, forced developer keys...
I use Little Snitch on macOS, but it is not available on iOS, so far as I know. Normal apps on iOS do not have enough visibility into the system for that.
Android exposes a soft VPN API that firewall apps can use to block network traffic for certain apps in certain scenarios (say, no Google Play updates when on mobile data) with apps like Netguard [1].
Does iOS not expose such functionality? Surely there's some kind of VPN API?
> Android exposes a soft VPN API that firewall apps can use to block network traffic for certain apps in certain scenarios (say, no Google Play updates when on mobile data) with apps like Netguard.
I worked on AOSP for longer than I care to admit. This is mostly an illusion. System apps (like Google Play) can pretty much do whatever the heck it is that they want to. NetGuard, sure, "firewalls" it... but it wouldn't even know if a system app bypassed its tunnel. For installed apps, NetGuard is golden (as long as NetGuard itself doesn't leak).
disclosure: I co-develop a FOSS NetGuard alternative (and yes, this alternative has similar limitations).
Interesting, and disappointing. Do you happen to know what mechanism is used to bypass the VPN configuration?
I'm using my VPN as a Pihole tunnel and I don't notice any extra logs or requests when I turn off the VPN, but I may just be lucky. I did purge a lot of preinstalled Facebook crap…
It isn't that System Apps actively bypass the VPN tunnel, but they can if they want to, on-demand [0]. That is, System Apps retain the ability to bind to any network interface. Whether they do so, is anyone's guess.
For installed apps, there's no such respite, iff one enables 'Block connections without VPN' (the VPN lockdown mode) on Android 10+ (but NetGuard doesn't support it). This means in the times when NetGuard crashes or restarts (which it does on network changes, for example, or even on screen-off/screen-on, from what I recall), there's a chance the traffic flows through underlying interfaces rather than the tunnel (because the tunnel simply doesn't exist in the interim).
Datura (ebpf based) on CalyxOS and AfWall+ on any rooted Android can block out everything it pleases, though.
I don't mean to downplay NetGuard, because the codebase has evolved in response to years of addressing flaky networks, flawed apps, buggy Android forks. Marcel, the lead developer, has put his life's work into it and gave it away for free. The app I co-develop is, in fact, inspired from his efforts.
I see, thank you for explaining! Good to know that rooting your phone still has some benefits. I wouldn't have thought that there's such an easy bypass for system apps, but I suppose it makes sense for some modem/carrier apps to specify an interface.
I absolutely love Netguard even though I don't really use a firewall in practice (I was sort of hoping a permanent VPN with some "real" traffic meddling would be enough to block most violations of my privacy). It's the one rootless firewall that actually just works on practically any device you can think of, among a sea of broken/scammy firewalls that fail all kinds of edge cases.
> It's the one rootless firewall that actually just works on practically any device you can think of, among a sea of broken/scammy firewalls that fail all kinds of edge cases.
I've had those options on multiple OnePlus phones, but they were not present on multiple Pixels. Since Pixels are usually sold as "AOSP experience with Google flavor" are lacking this feature - I am not sure if that is that feature comes from AOSP or is only present on OnePlus phones.
I've generally found them on most Android phones, but they're all over the place in the settings. On my current phone they're not in permissions, or connections, or internet setup, or security, but they're in the app details screen.
I've also seen the toggles placed in the data usage graph, the other, older data usage graph you can sometimes find via a workaround, and in a separate app that pretends to be one of those system storage optimizers.
I'm sure Android supports it at the system level but how you get to those settings is anyone's guess, really.
iOS has APIs for VPNs and “content blockers”. But as far as I know, such a filter has no access to know which process/application is trying to make a connection. Little Snitch on macOS has to install code into kernel space. (Or at least it used to; I have not reinstalled in a long time.)
The Android app you link to seems to have the functionality I think should exist as a built-in. It needs to be built-in so that non-geeks can use it.
Just as users are asked the first time an application attempts to use the microphone and are able to prevent it before it starts, they should be able to limit network access and revoke it at any time.
(I don’t think users should be necessarily be forced to approve Internet access for every app install. Just make it possible to revoke in the global Settings widget and encourage users to think about personal data and Internet access being mutually exclusive.)
Not like that. The idea is antithetical to Apple, who have said during keynotes that they've tried to avoid doing so, because what they really want is a world where the concept of "mobile data" is not limiting.
None of which is particularly effective since it's trivial to setup a legal entities that makes one game but signs a bunch of malware (or steal enterprise keys).
That would be a pretty interesting VPN service if you could easily deploy it as a docket container. Something simple that could give Little Snitch like whitelisting.
The Charles proxy iOS app doesn’t have the ui to support this, it’s clumsy to whitelist domains, but it does provide some visibility into what domains are being accessed.
You can disable app's cellular data access, but that's it, at least on Western phones. Ironically, phones for the Chinese market actually expand that setting and also allow to block Wi-Fi access.
As a Chinese user, this is the first time I heard that blocking WiFi access on iOS is China only. How confused I was when reading the comment above you, given I'm already capable of blocking network access for any iOS App.
I am aware of that option. It is on the screen I just described. That is really just for saving bandwidth where it is expensive. It is in no way intended as a security measure.
For example, say I would like to install a photo editing application. It would need access to my photos. That is fine, so long as it is not allowed to connect to the Internet (or any other network). There is currently no way to ensure this.