Google Adds Restricted Networking Mode in Android 12

This is not the system-level firewall we expected

With the first version of Android 12 Developer Preview slated to go live next month, there’s still a lot we don’t know about Google’s next major operating system update. Digging into the Android Open Source Project can only reveal so much given that most of the Android 12 code base is not public. Still, sometimes we see evidence of new Android features in AOSP, although they often aren’t that great. The last feature we spotted, internally called “Restricted Network Mode,” unfortunately doesn’t provide the configurable firewall we were hoping to see, but it does have some interesting implications.

A handful of commits merged with AOSP describe the new restricted network mode feature. Google has created a new chain of firewalls – a set of rules that the Linux iptables utility follows to allow or block network traffic – to support restricted network mode. When this mode is enabled via a parameter, only applications that have CONNECTIVITY_USE_RESTRICTED_NETWORKS permission will be allowed to use the network. Since this permission can only be granted to privileged system apps and / or OEM signed apps, this means that network access will be blocked for all user-installed apps. In effect, this means that you will still receive push notifications from apps using Firebase Cloud Messaging (FCM), as these notifications are routed through the privileged Google Play Services app which has the required permission, but no other app – to the excluding a handful of other system apps – can send or receive data in the background.

We’re not sure where Google will place a toggle for restricted network mode in Android 12. We do know that it can be toggled at runtime and programmatically queried through the shell command, much like the save function. data from Android, but we don’t know if Google plans to allow users to create their own app allow / block list. It would be huge if Google added a settings page for users to restrict internet access on a per-app basis so that users wouldn’t have to rely on apps like NetGuard that use Android’s VPN API; there is nothing wrong with the way these apps work, but nothing prevents them from being killed by bad OEM software.