Grey Shirts NoRoot Firewall for ANDROID

Discussion in 'other firewalls' started by FOXP2, Oct 25, 2013.

  1. FOXP2

    FOXP2 Guest

    No longer having my rooted Android slab and not yet willing to brick a new (WiFi only) Nexus 7 FHD, I was anxious to try this Grey Shirts NoRoot Firewall I had seen on several occasions when digging around in the Play Store. How good it is, is absolutely impressive. The feature set and granularity far exceeds those of the ones I played with, including avast! Mobile.

    Upon first run it'll build an APPS list of all installed networked Apps. PENDING ACCESS notifications will start presenting which you open to review connections to allow, block or build a rule. At first this is a bit tedious but unavoidable considering the level of connectivity of an Android device.

    Apps will turn red, yellow or green in the APPS list depending on the level of the rule(s). Those in white have not yet tried to connect and you can then either allow, block, build or just wait for a connect and examine the PENDING ACCESS notification.

    Running a newly installed App which attempts an immediate connection will present a PENDING ACCESS notification and if not will appear as white in the APPS list.

    Any App that attempts an access not meeting an existing rule(s) will present a PENDING ACCESS notification.

    This App needs:
    1) Clear, sort, filter and save as txt or csv the ACCESS LOG.
    2) Move up/down rules in App Detail.
    3) Export/import rules.
    4) Greater support of wildcards for domains rules, currently restricted to *.
    5) One or two nit picky things I can't recall at the moment.

    I've posted up those as wishes in its Play Store reviews.

    I think Grey Shirts has a winner here for hard core Android geeks. The last update was on October 14 and according to their postings in Play Store, active development is ongoing. If they ever went to a paid model, my wallet is at the ready.

    FYI: NRFW does not work via a proxy (local or external) like some others but instead brilliantly uses Android's VpnService.
    -https://developer.android.com/reference/android/net/VpnService.html
    On first run, it prompts for a permission which you can accept and continue or deny and exit.

    Cheers.
     

    Attached Files:

    Last edited by a moderator: Oct 25, 2013
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,043
    I wonder how it compares to this, although I don't use it anymore not wanting to deal with outbound control even on a desktop.
     
  3. FOXP2

    FOXP2 Guest

    From the screenies at Play, it looks like Mobiwol offers only allow-or-block for an App; all or nothing, no fine tuning of rules. Unless you can indicate otherwise since you used it. Nonetheless, knowing of what you don't want to deal with is of incalculable benefit to the thread. :rolleyes:

    For those who do want to deal, Grey Shirts' firewall is ideal for blocking the Apps that feel the need to bang 1e100 or a "region validation" or other IP every few seconds (even when just idling in the foreground or not there at all) while not breaking the App's core connectivity.

    Cheers.
     
  4. Goliathus

    Goliathus Registered Member

    Joined:
    Nov 17, 2013
    Posts:
    1
    Location:
    USA
    One downside I found for myself is that you can't run a VPN service and this app at the same time. If you use a VPN and it uses the OpenVPN app it seems android only allows one VPN instance at a time. I have not dug into it yet to see if there is a setting that can be changed in one or the other to allow this (because I just thought of it right now actually) so maybe there is a way.

    Just thought I would add this incase someone else needed to know.
     
  5. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,365
    Im using this on a rooted nexus 7 and 10 ,and prefer this to quit a few ive tried as most of them are black or whitelist ,whereas this one asks you to allow or not and also gives you the option of allowing or denying individual connection from an app.The only con i see is the android warning,and having to trust it to continue on reboots.I dont think theres any way round that though.
     
  6. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    690
    Location:
    UK
    The allow via wifi or mobile only options looks useful.

    I cannot see this on the screenshots of greyshirts if this can be done or not.

    I would prefer a desktop type of hips with allow for this session or an hour etc granularity.
     
  7. FOXP2

    FOXP2 Guest

    It's Android. What's not to trust? :p I set it so it doesn't start on reboot; after 'droid settles down, I turn on NoRoot FW and then WiFi.

    •If you look hard enough, the screenshots show exactly what you're looking for.
    ••Me too. But it is what it is. And much better than nothing.

    Correct. No work-arounds. Do you need a firewall when in a VPN session? Turn it off for the session and turn it on again when just messin' around maybe??
     
  8. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Excellent thread!

    Best regards,

    Mohamed
     
  9. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,365
    Id like to see a rooted version of this as well as unrooted.i always root my devices.Approve with supersu and then no problem with reboot interaction
     
  10. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    I just tried this but it won't start. I get a "Cannot establish VPN (java.lang.IllegalStateException: Cannot create interface)" error. o_O
     
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    4,436
    Location:
    USA
    It's interesting that both the Grey Shirts firewall and Mobiwol use the VPN service. My guess is this how they can work on a device without root access - the firewall rules are applied on the VPN server and not on the device OS. Since they use OpenVPN are they in fact creating a secure connection?
     
  12. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    470
    Location:
    United States
    I've given grey shirts a go now for the past three days. I've managed to block advertisements to quite a number of free and paid apps, I've cut out notification annoyances from the launcher pushing me to upgrade. I've also notice tremendous battery life improvement now that it's not calling out for updates 24/7. I really like the idea, but given the MiTM nature I can't say I'm entirely comfortable with this type of work around. For now, I'm going to stay the course. Neat idea using the VPN setting, but I agree it probably introduces a number of other security concerns.
     
  13. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    1,584
    From http://www.mobiwol.com/faqs.html:

    A search finds this http://developer.android.com/reference/android/net/VpnService.html:

    That last sentence crossed out to account for how Mobiwol (and presumably Grey Shirts NoRoot Firewall) might use this. It sounds as though they, instead of performing that crossed out step and exchanging traffic with destinations through a remote VPN Server, could directly exchange traffic with destinations while applying filter rules. Sort of like running a VPN client and VPN server on your Android, but combined and lighter weight. Please speak up if you think otherwise.

    Also from that Android developer documentation:
    Which could explain Goliathus's earlier "you can't run a VPN service and this app at the same time" comment pertaining to Grey Shirts NoRoot Firewall.
     
    Last edited: Jan 9, 2014
  14. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    512
    Location:
    Arizona
    Is there any way to add a block all rule at the bottom of the allow rules?
     
  15. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    4,436
    Location:
    USA
    Very helpful, thanks :thumb:
     
  16. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    470
    Location:
    United States
    @TheWindBringeth

    Thanks for this information. Good find for non-root users.
     
  17. FOXP2

    FOXP2 Guest

    Good question. There's a Global Filters which will read before or after the apps rules in which logically the latter should match your "bottom of" rule.

    NRFglobals.jpg

    I haven't had the need for that yet and I'm curious as to what you have in mind for such a rule?

    BTW, in a "duh, I didn't know you could do that" moment, I found out how to screen shot my Nexus 7. As I did in #1 above, I don't have to use my snapshot camera anymore. :D

    Cheers.
     
  18. FOXP2

    FOXP2 Guest

    Agreed. I'm not counting on it for much either. But it sure is interesting as to how and to what different apps connect to within the google construct.

    Not that there are other nice apps to ferret this out but without rooting and loading up a bunch of Linux tools, GSNR firewall is the best thing I've messed with that pops the hood.

    I've got several apps (all from play.google) which I restrict to 80 and 443 out where I've built anywhere from two to six rules blocking other ports in high well-known and registered. And one way up there in private. :cautious:

    So, find yourself blocking much to 74.125.224.*:80 ??
     
  19. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    512
    Location:
    Arizona
    Thanks for your help. I figured it out. I was looking for the rule under the app I created it for but found the rule under the global tab.

    I had over 60 block rules for Words with Friends that I wanted to clean up. Those ads come from everywhere.

    Now I have to figure out why Words with Friends locks up or reboots my Nexus 7.
     
  20. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    470
    Location:
    United States
    Yes, there certainly are a lot of connections to Google. I'm thinking this is might be related to the Google account sync/backup service or a file/media/system update. Kind of like Windows Media player checking if a new version of a file is available for download or dropbox auto-syncing. I'm still experimenting, so until I've had a chance to play around with it further I can not say for certain. I'm new to android, so I am in no way an expert. But I'm not going to let that stop me from getting my feet wet.

    I'd recommend toggling off any radios you don't required and checking out the Google settings app on your device. Found some pretty interesting privacy settings that by default were not toggled off that I didn't think justified the privacy concerns.

    I've been experimenting with establishing some general rule sets. There are a lot of apps that I simply don't need accessing the internet regularly that I can't simply uninstall. I can always change this and update things like maps in the future. So I've toggled these to deny any access. Anything that must have internet access will have a custom filter rule set.

    My current deny any connection list:
    Bluetooth Share
    Camera
    Contacts Storage, Contacts, User Dictionary
    Download manager, downloads, media storage
    Contacts Storage, Contacts, User Dictionary
    Gallery
    Maps
    Sound Recorder
    Street View
    Wallet

    Still experimenting with settings to see what is causing what to show up in the access log. I don't use words with friends on my own device, but I find the ads annoying when playing on other peoples devices. So maybe this will be a good test of the apps ability to block in-app ads. Also applying rulesets to chrome directly seems to work well.
     
  21. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,584
    This gets my vote of being the best firewall for non-rooted Android.
     
  22. umbrapolaris

    umbrapolaris Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    903
    Location:
    Nha trang (Vietnam) / Paris (France)
    and for rooted one?
     
  23. FOXP2

    FOXP2 Guest

    Off topic. Please start a new thread. Thank you.


    For sure. 99.99999% to their 1e100 dot net. But specifically 74.125.224.*:80 is the subnet that doles out the apps ads. I'm not referring to the Google services (gmail, Google+, People, Drive and so on) but to apps; Joe's Weather, Calculator Extreme, Sooper Solitaire, WiFi Woofer (I made those up). I have no expereince with games, so I can't say if there's another 1e100 IP/24 or other CIDRs for games.

    That, of course, will have no effect on ads served by amazon, akamai, cloudfront and the likes of Admob, Admarvel, etc.

    Some apps have wised up and won't even load up their content/service until the initial ad has completed rendering. :'(
    .
     
  24. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    470
    Location:
    United States
    @FOXP2
    That, of course, will have no effect on ads served by amazon, akamai, cloudfront and the likes of Admob, Admarvel, etc.

    Some apps have wised up and won't even load up their content/service until the initial ad has completed rendering. :'(
    .[/QUOTE]

    Agreed, companies are wising up. I've had great success on my end, because I limit myself to a small number of applications. Fortunately, their developers haven't caught on. If you are still having problems, might I also recommend a DNS server that filters ads. I've been experimenting with Fool DNS and I must say it's been pretty effective so far. I've had mixed results on an un-rooted iPhone. It's hit or miss with advertisements. Another reason to love android. :)
     
  25. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    4,436
    Location:
    USA
    I've been using this NoRoot firewall for a while and am wondering about what real value it adds in terms of enhancing privacy - realistically what can be achieved? I can see how very knowledgeable users can write rules to block ads, etc, but it seems to me the larger problem is app permissions. Too many apps have unnecessary permissions and what is required is ad-blocking and anti-tracking capability comparable to what we have for desktops - apps like AdBlock Plus and Ghostery, etc. I understand that perfect privacy cannot be achieved on a desktop either, but can you even get close with a cellular device? - even rooted? The carrier network back-end "owns" these things.