Does anyone know of a hosted VPN service that provides a firewall too?
It seems like the only effective way to control outbound traffic from my Android phone. These solutions don't work effectively:
* Detect and block each outbound connection manually: There are endless holes to close and always new ones; that is playing whack-a-mole.
* Software firewall on phone: The firewall would need to operate on a low enough level to block everything. That is a challenge for all software firewalls, and from my sense of Android's outbound data 'features', that seems especially difficult.
* Hardware firewall of my own: Because my phone is mobile, it's not always connecting through the same hardware. I could create a VPN back to my personal firewall, but then either I must share all my data with my ISP or I must create a 2nd VPN connection from my firewall to a hosted VPN service, which seems like too much latency and complexity.
Yours seems like a valid use case, but the underlying issue appears not being able to trust and administer your own computing device. From what I can tell a local firewall is possible (with iptables), but you need to install a custom Android build and 'root' your phone.
> the underlying issue appears not being able to trust and administer your own computing device
I'm not sure it's wise to trust your phone these days. I can root and install a custom ROM, but that doesn't solve the problem. What ROM do you recommend? Most are forks of Android that change some features or remove bloatware; I don't know one that locks down the fundemental security of the OS.
> From what I can tell a local firewall is possible (with iptables)
How can you efficiently configure iptables?
1) Run each app in isolation
2) Sniff network traffic
3) Detect and identify every packet heading to an undesirable destination
4) Write a rule to block it
5) Retest until traffic is clean
6) Repeat every time any software is added or updated.
That's not practical. Also, some of the leakage is embedded so deeply in the OS that I don't know if iptables (or other software firewalls) are sufficient.
That is, I fear, the sad state of mobile operating systems. On the desktop you can choose from a bunch of GNU/Linux distributions that are generally considered quite secure and are under a lot of scrutiny — when Ubuntu introduced a search feature that sent search strings from their dash directly to Amazon to helpfully present purchasable media, this was strongly condemned and ultimately disabled by default.
But on smartphones your choices are limited. There are a couple of alternatives, but losing access to either Google's or Apple's app-store appears to be an insurmountable obstacle for most smartphone owners. I am assuming (not judging though!) this is the case here too.
On a technical level though, all IP traffic passes through iptables, even on Android. You are right that manually blocking all that stuff is impractical. Doing the filtering outside of the phone won't solve that dilemma though.
Just a note: You've made multiple assumptions about me in multiple posts, and it's no surprise that all of them are false. Maybe it would be better to just omit the assumptions about others from your posts.
It seems like the only effective way to control outbound traffic from my Android phone. These solutions don't work effectively:
* Detect and block each outbound connection manually: There are endless holes to close and always new ones; that is playing whack-a-mole.
* Software firewall on phone: The firewall would need to operate on a low enough level to block everything. That is a challenge for all software firewalls, and from my sense of Android's outbound data 'features', that seems especially difficult.
* Hardware firewall of my own: Because my phone is mobile, it's not always connecting through the same hardware. I could create a VPN back to my personal firewall, but then either I must share all my data with my ISP or I must create a 2nd VPN connection from my firewall to a hosted VPN service, which seems like too much latency and complexity.
I can't be the only one who wants this ... ?