disabling network access for an app does not work

[franco-bez]

On Volla OS 12.1 (12-20230911-STABLE-vidofnir) turning off network access for a specific app does not seem to work at all. go to Settings -> Apps -> Fennec -> Mobile Data and WLAN and disable the switch "allow network access". now open fennec and start browsing the internet.

Expected behaviour would be - "no internet" but Fennec can browse the internet just like always.

see also https://forum.volla.online/viewtopic.php?p=4277

[RinkebyDanceKids]

Damn, you got before me. And yes. There are more people than us.

I would like to see this fixed. But at least it wasnt just my phone, hacked or anything.

[wurzer]

So far I remember, we disabled this feature, because users complained, that the system setting for constant VPN is not working. If VPN needs to reconnect and the VPN setting has this strict setting, that non VPN traffic is blocked, that the system can't re-establish the VPN connection. It's a logical implication, because the requzest for the VPN connection is outside the VPN.

As a workaround you can put the app n the list of the security mode, taht shouldn't be connected to the internet, This app would be blocked, if the security mode is enabled.

[RinkebyDanceKids]

Oh?

I looked at that feature but couldn't get it to work, til I resorted to do it manually. I have another look then. And for me, VPN and manually off worked great. But lets see if I can get this securitu mood working. I don't use springboard though.

[wurzer]

We prepare a security mode toggle for quick settings.

@erfanoabdi can probable better explain the conflict between VPN setting and network setting

[RinkebyDanceKids]

Thanks for the help. So putting the apps on lock in security modes not only remove the icons or accessibility. But also it's access to internet/network then? I don't want any background signals from talkative apps. Just to make sure?

New problem though. I switched from trebuchet to volla to activate security mode. Then back to trebuchet. The icons were gone and good. But then turning of security mode and back to trebuchet, the icons was still gone on my layout. But back in the menu.

Thanks. Small fixes.

[wurzer]

The apps are totally blocked, even background processes. The main use case is, that you need to use some apps fpr your studies or job you don't really trust. You can put them on the list for the security mode and unlock the securoty mode for the moment you need to use them, like a conferecne call with Microsoft Teams.

Technically it's like the apps are not installed. The system can'T launch the apps on the list, if the security mode is on.

I admit, I use it to clean up the app grid, so I have a very minimalistic set of apps, I really use for every days tasks. A nice side effect is, that this also saves the battery life.

[RinkebyDanceKids]

Thanks,

Thats good to hear. And its now my new choice to block them. However I want my shortcuts to reappear after security mode is off. Its a trebuchet thing, as they reappear in volla.

Bottom line, a bit better support for security mode in trebuchet.

[wurzer]

For users with trebushet, we will provide a tobble in the Android quick settings. A developer is already working on it.

And the conflict between strict VPN settings and network permission will probably fixed with Volla OS 13, that is already in prerparation.

[gbdomubpkm]

I have just discovered this perverse effect of correcting the VPN problem and it bothers me to leave certain apps always connected to the internet like VLC for example. Putting certain apps in security mode is not a solution since you cannot use them and it does not remove the internet connection as soon as the apps exited from security mode. However, a quick switch to security mode in the Android settings is essential when using a launcher other than the volla launcher.

And the conflict between strict VPN settings and network permission will probably fixed with Volla OS 13.

the sooner the better..

In the meantime, another solution is to use 'Split tunneling' which allows you to exclude the apps you want from VPN traffic and therefore cut off the internet for the excluded apps.

[wurzer]

The strict VPN setting is only useful, if you configure a VPN manually. If you use a VPN app like hide.me it's not necessary. I you reboot the device, you are instanly connected to the VPN after reboot.

Split tunneling is useful, if there is a conflict of an app with VPN. Aurroa for instance doesn-ät work with a VPN connection. So you need to use splut tunneling for the aurora App.

There is no conflict currently for apps, that need to be constantly connected with the internet. except youo are driving and the device is loosing the connection to the cellular network in a rural area or tunnel.

[gbdomubpkm]

I have found and tested a solution that work for blocking apps from accessing the internet : https://f-droid.org/en/packages/net.stargw.fok karma firewall

[RinkebyDanceKids]

I have found and tested a solution that work for blocking apps from accessing the internet : https://f-droid.org/en/packages/net.stargw.fok karma firewall

Unfortunally it doesnt work with VPN. Pretty much for the same issue as before. And is just a worse option than security mode, in terms of security.

[gbdomubpkm]

Karma Firewall IS a local VPN in my understanding. And yes indeed, you cannot use two VPNs at the same time I think. So I use Karma Firewall when I don't need a real VPN (Proton or other). If I need Proton, I deactivate karma first, then activate proton with Split tunneling.

[franco-bez]

For users with trebushet, we will provide a tobble in the Android quick settings. A developer is already working on it.

And the conflict between strict VPN settings and network permission will probably fixed with Volla OS 13, that is already in prerparation.

Is there any news about Volla OS 13 release schedule ?

I would really like to be able to use some apps without having them communicate over the network at all. Currently I have to disable the network access for the phone before using the apps in question, and then not forget to re-enable network access afterwards. This is quite annoying.

[wurzer]

We are working on Volla OS 13 and start soon internal beta testing. However you can use the followong approach to block apps from Internet access:

Configure the system in the way, that only VPN connections are allowed. Then use split tunneling to exclude an app from the VPN.

[franco-bez]

Just to make sure we are talking about the same thing. With "the system" you refer to my X23 ?

I did not find an option for allowing VPN network access only in the X23 settings. Also I did not find a "split VPN" configuration.

[wurzer]

1. Go to system settings
2. Tap on network & internet
3. Tap on VPN
4. Tap on the gear icon of your VPN
5. Activate continuous VPN
6. Activate blocking non VPN traffic.

[franco-bez]

thanks for the hint. I found the settings. Still how do I allow VPN access for some Apps and forbid it for other Apps? With the "VPN Data" switch on the App-Info -> mobile data and w-lan page?

I will try this out

[franco-bez]

unluckily in my case this does not work. i tested with fennec. if non vpn traffic is blocked the name resolution in fennec does not work. the switch to allow/deny VPN for fennec has the effect that in one case I get "check network" , in the other I get "host not found".

my VPN is AdAway.

[wurzer]

I tested it with the hide.me app, that allows split tunneling

[franco-bez]

the AdAway is basically an AdBlocker that uses the Android VPN interface to avoid the need of root access. Most likely it is not suitable for this usage scenario.

[wurzer]

You could use a VPN app with split tunneling and for add blocking a plugin for Fennec. You can add ad blocking plugins in the setting sof the Fennec browser.

[franco-bez]

I prefer blocking ADs in all Apps, not just fennec. The easiest way used to be adding entries to the /etc/hosts file, but this requires rooting the device. Older Versions of AddAway did this, used to work perfectly.

[gbdomubpkm]

To block internet access in apps, there are two apps:

netguard https://f-droid.org/fr/packages/eu.faircode.netguard/

karma firewall https://f-droid.org/fr/packages/net.stargw.fok/

[franco-bez]

thanks for the hint

EDIT: just tried netguard it allows filtering with a hosts file - similar to AdAway. With netguard I have the same issue as with AdAway. Netguard issues a Warning when enabling the FIlter Mode (hosts file) and denying non vpn traffic, telling me that this will not work.

[wurzer]

For blocking apps in all apps Volla OS has the securoty mode. You can use the templates for Ads and more kind of domains like malware or phishing and/or you can define firther domains.

[franco-bez]

I did not yet dare to turn on the security mode. I read about a user that failed to define a password for it and could not turn it off again without resetting the phone.

Blocking apps completely means that they cannot be started at all, so usually I do not need this feature. The firewall feature seems to be what I want to have, but I do not want to add hundreds off sites to block manually. Tools like netguard or adaway have a simple method to download and apply filter lists that are maintained by the developers.

By the way I switched to netguard, for me it seems to be more stable than adaway in my daily use.

[wurzer]

The security mode has two features:

• Blocking apps
• Blocking domains system wide (black or white listing)

I use the security mode daily. It's correct, that you need to remember your password. However there is a validation, when you enter the passwort for a first time.

[franco-bez]

I will test the security mode.

what does the switch "use existing password" do?

[wurzer]

If you activate security mode the 2nd time, you needn't enter the password again. You can reuse the previous one.

[Danfro]

So if I understand this right, the permanent VPN was causing some trouble.

As a solution all apps do get unlimited access to the internet regardless of the per app network setting? And because the button in the apps setting "network access allowed" (Netzwerkzugriff erlauben) does still seem to work (visually), a user thinks network access is denied and does have no idea that apps can still fully access the internet (because that has been bridged (überbrückt)).

[wurzer]

Not only the permanent VPN connection but also the exclusive connection. I will discuss this technical conflict again with our developers. In my point of view, controlling the network access for each app is more important, that the VPN system setting. If you use hide.me app, you can configure a simliar behaviour. Anyway, you can block apps completely with the securoty mode. That could be a workaround for you for now.

[Danfro]

Thank you for taking this into discussion again. I do very much agree with your prioritisation, that the per app setting is more important. But I understand, that sometimes we are restricted by technical restrictions and of course that VPN needs to be working as well.

Using security mode to block the app is no valid workaround in my case. I am using a keyboard app that I want to prevent from sending userdata out. So the app needs to run all the time, but should have no internet access at all. I did solve this for the moment by using NetGuard app.

[franco-bez]

I agree. It's a good idea fixing the "disable network access" feature. To me the current state is a severe bug. Turning OFF network access completely turns off W-Lan, Mobile Data, and VPN-Data, that's what the options dialog suggests. Keeping the network access turned on in order to have a stable VPN seems strange - VPN is also turned OFF for the app.

Disabling an app completely via the security mode makes sense only in case you hand the device over to someone else, maybe a child and you don't want that person to use certain apps on your phone.

An app I do not want to use myself either gets uninstalled or disabled. An app I only use seldom does not get started.

Apps I want to use, but do not want them to "phone home" I currently can only use in flight mode - that's bad.

[RinkebyDanceKids]

I agree. It's a good idea fixing the "disable network access" feature. To me the current state is a severe bug. Turning OFF network access completely turns off W-Lan, Mobile Data, and VPN-Data, that's what the options dialog suggests. Keeping the network access turned on in order to have a stable VPN seems strange - VPN is also turned OFF for the app.

Disabling an app completely via the security mode makes sense only in case you hand the device over to someone else, maybe a child and you don't want that person to use certain apps on your phone.

An app I do not want to use myself either gets uninstalled or disabled. An app I only use seldom does not get started.

Apps I want to use, but do not want them to "phone home" I currently can only use in flight mode - that's bad.

You disable them manually? how? I know how to do it in normal android. But Volla for all I seen only have uninstall or once. tirning off network access.

[franco-bez]

You disable them manually? how? I know how to do it in normal android. But Volla for all I seen only have uninstall or once. tirning off network access.

Disable the preinstalled apps you do not want to use as they cannot be easily deinstalled.

[RinkebyDanceKids]

yes, but how?

[franco-bez]

OK, but this is the last off topic here - for further questions please use the forum It's the same procedure as you use for uninstallation - just that you can only choose deactivate instead of uninstall. This is standard Android behaviour.

[RinkebyDanceKids]

Ah! I missunderstood, thanks for answering my off question. I wanted to use it for apps that can be uninstalled. And if I remember right. Something you can do in normal android.

[wurzer]

There is no need to deactivate apps. Use the security mode of Volla OS iin the security settings.

[gbdomubpkm]

Really prioritize the security mode switch to put in the system settings.

[Danfro]

This thread is not about moving security mode switch elsewhere.

And why would one want that anyway? System settings is so full, one can't find anything without the search.

Having security mode in Volla settings (two swipes away) is so much more convenient and easier to find. My opinion.

--

[gbdomubpkm]

And why would one want that anyway?

If you change launcher, security mode can no longer be activated/deactivated unless you return to the volla launcher

[wurzer]

We prepare a quick setting tile to activate and e-activate the security mode

[Danfro]

If you change launcher, security mode can no longer be activated/deactivated unless you return to the volla launcher

Ah, valid point. I did not think of that.

[wurzer]

Please recheck with Volla OS 13. IT's reintroduced

[franco-bez]

just upated to 13-20240213-BETA-vidofnir. Disabling network access is now respected and seems to work as intended.

There are several side effects with the update though. -System states to be LineageOS now. -VollaBootManager looks like the old one. Surprisingly dual boot still works. -VollaBoard has disappeared, no speech input anymore

[wurzer]

Thanks for the beta report. Yes, ot's an early beta. Some deteils needs to be fixed. Thanks for the report.

[franco-bez]

fixed in VOS 13