An app can use the VPN API to intercept network traffic. This is all done with plenty of security popups (one to inform you an app is trying to register as a VPN, the another popup when it's first activated, and the while it's active there's a permanent notification that says "your connection may be monitored" with a quick button to kill the VPN).
The API is supposed to let apps do things like "route intranet/corporate app traffic over a VPN, let other traffic go through", but you can just as easily use it to drop traffic destined for certain addresses (such as ad servers), or to drop all traffic for specific apps. It's also possible to make decisions like "let this app connect to the internet on wifi but not on data".
It should be noted that system applications (phone OS, Google, sometimes carrier apps) can bind to specific network interfaces bypassing this API entirely. This means you can't use this API to 100% block internet access to preinstalled apps, even though apps will need to explicitly implement networking code to bypass such firewalls.
It should be noted that Google doesn't really like apps abusing the VPN API like this, in past because of the massive privacy risk. Google cut a bunch of these apps from Google Play, though there's not much they can do about APKs you download from F-Droid or github.
> should be noted that Google doesn't really like apps abusing the VPN API like this
Not really.
Only apps that use the VpnService and have VPN as their core functionality can create a secure device-level tunnel to a remote server. Exceptions include apps that require a remote server for core functionality such as:
- Parental control and enterprise management apps
- App usage tracking
- Device security apps (for example, anti-virus, mobile device management, firewall)
- Network-related tools (for example, remote access)
- Web browsing apps
- Carrier apps that require the use of VPN functionality to provide telephony or connectivity services.
> It should be noted that system applications (phone OS, Google, sometimes carrier apps) can bind to specific network interfaces bypassing this API entirely
Whilst this is true for Android (connectivity checks bypass VPNs, as do VoWiFi and Hotspot traffic) [0], other OSes are known to do the same thing: https://news.ycombinator.com/item?id=24838816
jeroenhd|3 months ago
The API is supposed to let apps do things like "route intranet/corporate app traffic over a VPN, let other traffic go through", but you can just as easily use it to drop traffic destined for certain addresses (such as ad servers), or to drop all traffic for specific apps. It's also possible to make decisions like "let this app connect to the internet on wifi but not on data".
It should be noted that system applications (phone OS, Google, sometimes carrier apps) can bind to specific network interfaces bypassing this API entirely. This means you can't use this API to 100% block internet access to preinstalled apps, even though apps will need to explicitly implement networking code to bypass such firewalls.
It should be noted that Google doesn't really like apps abusing the VPN API like this, in past because of the massive privacy risk. Google cut a bunch of these apps from Google Play, though there's not much they can do about APKs you download from F-Droid or github.
ignoramous|3 months ago
Not really.
https://support.google.com/googleplay/android-developer/answ... / https://archive.vn/KY51z> It should be noted that system applications (phone OS, Google, sometimes carrier apps) can bind to specific network interfaces bypassing this API entirely
Whilst this is true for Android (connectivity checks bypass VPNs, as do VoWiFi and Hotspot traffic) [0], other OSes are known to do the same thing: https://news.ycombinator.com/item?id=24838816
[0] https://github.com/celzero/rethink-app/issues/224
n4bz0r|3 months ago
Given it's a "VPN", would it work alongside real VPN?