unable to create custom firewall rules to allow download of android updates from google

[DonEstefan]

Please answer the following questions for yourself before submitting an issue

• [X] Filters were updated before reproducing an issue
• [X] I checked the knowledge base and found no answer
• [X] I checked to make sure that this issue has not already been filed

AdGuard version

4.3.1 + 4.4

Environment

• OS version: 14
• Device: Google Pixel 8 (factory default ROM)

HTTPS filtering

• [ ] yes, I do

Root access

• [ ] yes, I have it

Integration with AdGuard VPN

• [X] yes, I do

Routing mode

Local VPN

Ad Blocking

AdGuard Base filter, AdGuard Mobile Ads filter, EasyList

Privacy

AdGuard Tracking Protection filter, EasyPrivacy

Social

AdGuard Social Media filter

Annoyances

AdGuard Popups filter, AdGuard Mobile App Banners filter

Security

Online Malicious URL Blocklist

Language-specific

AdGuard Japanese filter, EasyList Germany

Other

No response

Which DNS server do you use?

Automatic DNS

DNS protocol

None

Custom DNS

No response

What Stealth Mode options do you have enabled?

No response

Issue Details

Steps to reproduce:

1. enable adguard (DNS+Firewall) .
2. enable global firewall rules in adguard. disallow all wifi + mobile data connections globally.
3. go to android settings and try to download available android security updates provided by google. This results in the error message "network error. try again later" seen in the german screenshot below
4. check adguard firewall quick actions -> no quick action available, to unlock the android updates
5. check "recent activity" in adguard "statistics" tab-> note the blocked tcp connection from "root" in the second screenshot below. However, there is no app called "root" installed on my phone, so I can not allow this connection/app...
6. enable "custom firewall rule". Allow all wifi+mobile data for all "Download manager" and "system" apps. Repeat step 3 -> Download still does not work
7. disable adguard and repeat step 3 -> android update download works as expected

Expected Behavior

There should be a way to build custom firewall rules for android updates, when global firewall rules do not allow internet access by default.

Actual Behavior

android update downloads always fails, when global firewall rules do not allow internet access by default

Screenshots

Android Update error (german)


I suspect this is the blocked update download


Additional Information

No response

[maxikuzmin]

@DonEstefan

try to download available android security updates provided by google

could you please clarify the path to this setting? you mean Settings -> Security & Privacy -> System & updates -> Security update?

[DonEstefan]

could you please clarify the path to this setting? you mean Settings -> Security & Privacy -> System & updates -> Security update?

Correct

[maxikuzmin]

@DonEstefan well, I tested this on Pixel 5 (android 14) and everything works correctly

Please watch the video, are you doing the same steps?

https://github.com/AdguardTeam/AdguardForAndroid/assets/101641415/87581fec-0a6e-4cb1-bd8f-571e0ee1ac5f

As far as I understand the blocked request is called "google play services", I don't have any requests from "root" showing up, and I was able to temporarily disable Firewall for the update and updated successfully

I also checked the Security update on another Samsung device (android 13), but everything works correctly there as well. Do you have a chance to check this on another device, will it also recur? Most likely the problem is in your device

[maxikuzmin]

@DonEstefan by the way about "root" If the system makes requests with UID 0, then a request from a process with UID 0 is described as "root". It's normal behavior

[DonEstefan]

Hi @maxikuzmin. And thanks for your efforts! You are looking at the right setting. But the check for updates button is working fine ("play services" are allowed to access internet on my phone). It's the download and install button that came after check for updates, which did not work. Unfortunately I can not create a screen recording of the issue, since I installed all available android updates during my earlier tests.

[maxikuzmin]

@DonEstefan It's really hard to check this, since Security updates are released very rarely (I had my last update in November, and it's the "most recent" update available

[DonEstefan]

@maxikuzmin, I get monthly updates with my pixel phone. Let me know, if I can help...

[maxikuzmin]

@DonEstefan okay, so the problem is: Quick Actions for the Adguard Firewall are not available when blocking Security update downloads After disabling the Firewall, downloading updates still doesn't happen until you turn off AdGuard protection completely

Is this correct? Unfortunately, my updates are still showing as “Your system is up to date” from Nov 05, maybe the difference is in the firmware of our devices.

Could you please record a video of the screen repeating all the steps and also record debug logs?

• Enable debug logging:

Settings -> General -> Advanced -> Logging level -> Debug

• Reproduce steps, then remember the exact time when it happened

• Collect logs:

Settings -> General -> Advanced -> Export logs and system info

• Sent this file to devteam@adguard.com:

mention the 5327 number in the subject specify the exact time when the issue occurred

[maxikuzmin]

@DonEstefan any news?

[DonEstefan]

@maxikuzmin, I'm on a festival right now. There are new updates available on my phone. I'll get the debug los for you, when I'm back next week.

[maxikuzmin]

@DonEstefan okay, I'll be waiting. Have fun!

[DonEstefan]

@maxikuzmin, I send the file you asked for to the devteam mailadress. Let me know if you need additional info.

[maxikuzmin]

@DonEstefan could you record a new video of the screen? Important, when you open a request in recent activity, scroll below to see if the request was blocked by a firewall

[maxikuzmin]

@DonEstefan any news?

[DonEstefan]

Hi @maxikuzmin, I sent you another screen recording. I hope it helps. I'm abroad for the next 2 weeks, so I use a roaming connection. But it should not make much difference. Do you have an idea how to unblock the logged connections created by "root"?