Grey Shirts NoRoot Firewall for ANDROID

Discussion in 'other firewalls' started by FOXP2, Oct 25, 2013.

  1. FOXP2
    Offline

    FOXP2 Registered Member

    No longer having my rooted Android slab and not yet willing to brick a new (WiFi only) Nexus 7 FHD, I was anxious to try this Grey Shirts NoRoot Firewall I had seen on several occasions when digging around in the Play Store. How good it is, is absolutely impressive. The feature set and granularity far exceeds those of the ones I played with, including avast! Mobile.

    Upon first run it'll build an APPS list of all installed networked Apps. PENDING ACCESS notifications will start presenting which you open to review connections to allow, block or build a rule. At first this is a bit tedious but unavoidable considering the level of connectivity of an Android device.

    Apps will turn red, yellow or green in the APPS list depending on the level of the rule(s). Those in white have not yet tried to connect and you can then either allow, block, build or just wait for a connect and examine the PENDING ACCESS notification.

    Running a newly installed App which attempts an immediate connection will present a PENDING ACCESS notification and if not will appear as white in the APPS list.

    Any App that attempts an access not meeting an existing rule(s) will present a PENDING ACCESS notification.

    This App needs:
    1) Clear, sort, filter and save as txt or csv the ACCESS LOG.
    2) Move up/down rules in App Detail.
    3) Export/import rules.
    4) Greater support of wildcards for domains rules, currently restricted to *.
    5) One or two nit picky things I can't recall at the moment.

    I've posted up those as wishes in its Play Store reviews.

    I think Grey Shirts has a winner here for hard core Android geeks. The last update was on October 14 and according to their postings in Play Store, active development is ongoing. If they ever went to a paid model, my wallet is at the ready.

    FYI: NRFW does not work via a proxy (local or external) like some others but instead brilliantly uses Android's VpnService.
    -https://developer.android.com/reference/android/net/VpnService.html
    On first run, it prompts for a permission which you can accept and continue or deny and exit.

    Cheers.

    Attached Files:

    Last edited: Oct 25, 2013
  2. J_L
    Online

    J_L Registered Member

    I wonder how it compares to this, although I don't use it anymore not wanting to deal with outbound control even on a desktop.
  3. FOXP2
    Offline

    FOXP2 Registered Member

    From the screenies at Play, it looks like Mobiwol offers only allow-or-block for an App; all or nothing, no fine tuning of rules. Unless you can indicate otherwise since you used it. Nonetheless, knowing of what you don't want to deal with is of incalculable benefit to the thread. :rolleyes:

    For those who do want to deal, Grey Shirts' firewall is ideal for blocking the Apps that feel the need to bang 1e100 or a "region validation" or other IP every few seconds (even when just idling in the foreground or not there at all) while not breaking the App's core connectivity.

    Cheers.
  4. Goliathus
    Offline

    Goliathus Registered Member

    One downside I found for myself is that you can't run a VPN service and this app at the same time. If you use a VPN and it uses the OpenVPN app it seems android only allows one VPN instance at a time. I have not dug into it yet to see if there is a setting that can be changed in one or the other to allow this (because I just thought of it right now actually) so maybe there is a way.

    Just thought I would add this incase someone else needed to know.
  5. ellison64
    Online

    ellison64 Registered Member

    Im using this on a rooted nexus 7 and 10 ,and prefer this to quit a few ive tried as most of them are black or whitelist ,whereas this one asks you to allow or not and also gives you the option of allowing or denying individual connection from an app.The only con i see is the android warning,and having to trust it to continue on reboots.I dont think theres any way round that though.
  6. trott3r
    Online

    trott3r Registered Member

    The allow via wifi or mobile only options looks useful.

    I cannot see this on the screenshots of greyshirts if this can be done or not.

    I would prefer a desktop type of hips with allow for this session or an hour etc granularity.
  7. FOXP2
    Offline

    FOXP2 Registered Member

    It's Android. What's not to trust? :p I set it so it doesn't start on reboot; after 'droid settles down, I turn on NoRoot FW and then WiFi.

    •If you look hard enough, the screenshots show exactly what you're looking for.
    ••Me too. But it is what it is. And much better than nothing.

    Correct. No work-arounds. Do you need a firewall when in a VPN session? Turn it off for the session and turn it on again when just messin' around maybe??
  8. aladdin
    Offline

    aladdin Registered Member

    Excellent thread!

    Best regards,

    Mohamed
  9. ellison64
    Online

    ellison64 Registered Member

    Id like to see a rooted version of this as well as unrooted.i always root my devices.Approve with supersu and then no problem with reboot interaction
  10. Espresso
    Offline

    Espresso Registered Member

    I just tried this but it won't start. I get a "Cannot establish VPN (java.lang.IllegalStateException: Cannot create interface)" error. o_O
  11. Victek
    Offline

    Victek Registered Member

    It's interesting that both the Grey Shirts firewall and Mobiwol use the VPN service. My guess is this how they can work on a device without root access - the firewall rules are applied on the VPN server and not on the device OS. Since they use OpenVPN are they in fact creating a secure connection?
  12. Techwiz
    Offline

    Techwiz Registered Member

    I've given grey shirts a go now for the past three days. I've managed to block advertisements to quite a number of free and paid apps, I've cut out notification annoyances from the launcher pushing me to upgrade. I've also notice tremendous battery life improvement now that it's not calling out for updates 24/7. I really like the idea, but given the MiTM nature I can't say I'm entirely comfortable with this type of work around. For now, I'm going to stay the course. Neat idea using the VPN setting, but I agree it probably introduces a number of other security concerns.
  13. TheWindBringeth
    Offline

    TheWindBringeth Registered Member

    From http://www.mobiwol.com/faqs.html:

    A search finds this http://developer.android.com/reference/android/net/VpnService.html:

    That last sentence crossed out to account for how Mobiwol (and presumably Grey Shirts NoRoot Firewall) might use this. It sounds as though they, instead of performing that crossed out step and exchanging traffic with destinations through a remote VPN Server, could directly exchange traffic with destinations while applying filter rules. Sort of like running a VPN client and VPN server on your Android, but combined and lighter weight. Please speak up if you think otherwise.

    Also from that Android developer documentation:
    Which could explain Goliathus's earlier "you can't run a VPN service and this app at the same time" comment pertaining to Grey Shirts NoRoot Firewall.
    Last edited: Jan 9, 2014
  14. jdd58
    Offline

    jdd58 Registered Member

    Is there any way to add a block all rule at the bottom of the allow rules?
  15. Victek
    Offline

    Victek Registered Member

    Very helpful, thanks :thumb:
  16. Techwiz
    Offline

    Techwiz Registered Member

    @TheWindBringeth

    Thanks for this information. Good find for non-root users.
  17. FOXP2
    Offline

    FOXP2 Registered Member

    Good question. There's a Global Filters which will read before or after the apps rules in which logically the latter should match your "bottom of" rule.

    NRFglobals.jpg

    I haven't had the need for that yet and I'm curious as to what you have in mind for such a rule?

    BTW, in a "duh, I didn't know you could do that" moment, I found out how to screen shot my Nexus 7. As I did in #1 above, I don't have to use my snapshot camera anymore. :D

    Cheers.
  18. FOXP2
    Offline

    FOXP2 Registered Member

    Agreed. I'm not counting on it for much either. But it sure is interesting as to how and to what different apps connect to within the google construct.

    Not that there are other nice apps to ferret this out but without rooting and loading up a bunch of Linux tools, GSNR firewall is the best thing I've messed with that pops the hood.

    I've got several apps (all from play.google) which I restrict to 80 and 443 out where I've built anywhere from two to six rules blocking other ports in high well-known and registered. And one way up there in private. :cautious:

    So, find yourself blocking much to 74.125.224.*:80 ??
  19. jdd58
    Offline

    jdd58 Registered Member

    Thanks for your help. I figured it out. I was looking for the rule under the app I created it for but found the rule under the global tab.

    I had over 60 block rules for Words with Friends that I wanted to clean up. Those ads come from everywhere.

    Now I have to figure out why Words with Friends locks up or reboots my Nexus 7.
  20. Techwiz
    Offline

    Techwiz Registered Member

    Yes, there certainly are a lot of connections to Google. I'm thinking this is might be related to the Google account sync/backup service or a file/media/system update. Kind of like Windows Media player checking if a new version of a file is available for download or dropbox auto-syncing. I'm still experimenting, so until I've had a chance to play around with it further I can not say for certain. I'm new to android, so I am in no way an expert. But I'm not going to let that stop me from getting my feet wet.

    I'd recommend toggling off any radios you don't required and checking out the Google settings app on your device. Found some pretty interesting privacy settings that by default were not toggled off that I didn't think justified the privacy concerns.

    I've been experimenting with establishing some general rule sets. There are a lot of apps that I simply don't need accessing the internet regularly that I can't simply uninstall. I can always change this and update things like maps in the future. So I've toggled these to deny any access. Anything that must have internet access will have a custom filter rule set.

    My current deny any connection list:
    Bluetooth Share
    Camera
    Contacts Storage, Contacts, User Dictionary
    Download manager, downloads, media storage
    Contacts Storage, Contacts, User Dictionary
    Gallery
    Maps
    Sound Recorder
    Street View
    Wallet

    Still experimenting with settings to see what is causing what to show up in the access log. I don't use words with friends on my own device, but I find the ads annoying when playing on other peoples devices. So maybe this will be a good test of the apps ability to block in-app ads. Also applying rulesets to chrome directly seems to work well.
  21. safeguy
    Offline

    safeguy Registered Member

    This gets my vote of being the best firewall for non-rooted Android.
  22. umbrapolaris
    Offline

    umbrapolaris Registered Member

    and for rooted one?
  23. FOXP2
    Offline

    FOXP2 Registered Member

    Off topic. Please start a new thread. Thank you.


    For sure. 99.99999% to their 1e100 dot net. But specifically 74.125.224.*:80 is the subnet that doles out the apps ads. I'm not referring to the Google services (gmail, Google+, People, Drive and so on) but to apps; Joe's Weather, Calculator Extreme, Sooper Solitaire, WiFi Woofer (I made those up). I have no expereince with games, so I can't say if there's another 1e100 IP/24 or other CIDRs for games.

    That, of course, will have no effect on ads served by amazon, akamai, cloudfront and the likes of Admob, Admarvel, etc.

    Some apps have wised up and won't even load up their content/service until the initial ad has completed rendering. :'(
    .
  24. Techwiz
    Offline

    Techwiz Registered Member

    @FOXP2
    That, of course, will have no effect on ads served by amazon, akamai, cloudfront and the likes of Admob, Admarvel, etc.

    Some apps have wised up and won't even load up their content/service until the initial ad has completed rendering. :'(
    .[/QUOTE]

    Agreed, companies are wising up. I've had great success on my end, because I limit myself to a small number of applications. Fortunately, their developers haven't caught on. If you are still having problems, might I also recommend a DNS server that filters ads. I've been experimenting with Fool DNS and I must say it's been pretty effective so far. I've had mixed results on an un-rooted iPhone. It's hit or miss with advertisements. Another reason to love android. :)
  25. Victek
    Offline

    Victek Registered Member

    I've been using this NoRoot firewall for a while and am wondering about what real value it adds in terms of enhancing privacy - realistically what can be achieved? I can see how very knowledgeable users can write rules to block ads, etc, but it seems to me the larger problem is app permissions. Too many apps have unnecessary permissions and what is required is ad-blocking and anti-tracking capability comparable to what we have for desktops - apps like AdBlock Plus and Ghostery, etc. I understand that perfect privacy cannot be achieved on a desktop either, but can you even get close with a cellular device? - even rooted? The carrier network back-end "owns" these things.