I recently came across RethinkDNS for Android. I have enabled it with the Adguard DNS-over-HTTPS (because the built- in Android feature Private DNS is DoT and in my experience gets blocked on many public networks). Then I have added some local filter lists in the Rethink app. I also use the firewall feature to block some apps from the network.
Rethink also can connect to a VPN via Wireguard. So you could for example connect to ProtonVPN through it. What happens if both the VPN and DNS are enabled in Rethink? Is that a bad idea because it means 2 instead of only 1 parties will see which servers you’re connecting to?
Also, addon question. On a ROM like GrapheneOS that exposes the Android
INTERNET permission in the settings, is there any point in using the firewall feature of Rethink instead of just removing the built in Internet permission?
I’ve not tried using both a 3rd party DNS provider and Wireguard together, but yeah you want to trust fewer parties if possible. From what I’ve read, it also makes your traffic more unique so it’s better to use the VPN’s DNS provider which probably already comes with some filtering of its own. Since you have local blocklists, you may not need Adguard.
I use Rethink because it gives you more granular firewall functionality and logging, I like the “isolate app” option which is default deny. It’s better to use Graphene’s built in firewall to block access altogether though.
Supplementing with this: Android | Madaidan's Insecurities
The point about Netguard and Afwall applies to Rethink too. Apps can use other apps (with mutual consent) or system APIs to get network access. Only Graphene’s built in permission is guaranteed to block everything.
If you do need to grant untrusted apps network access, installing as few apps as possible and as few proprietary apps as possible would reduce that risk. And sandboxing with Shelter or user profiles is the best way, but then you would maybe want to have Rethink on all of those.
ex-AOSP and rdns dev here
I have answered this else where quite a few times, but here’s one for privacy-guides.
apps can use IPC to bypass such restrictions.
Only Graphene’s built in permission is guaranteed to block everything.
Well, apps can use IPC to bypass pretty much anything. To give you an example: An app that doesn’t have the
internet permission can still transfer data over audio (ex) or light signals. So, by that logic, even Graphene’s mitigation to remove
internet permission from the app falls flat on its face. I am not saying that ALL implementations are on equal footing, but that the IPC argument is so strong, that it’ll pretty much break every firewall you could come up with that’s not a Faraday’s cage. I mean, there’s a reason air-gapped PCs are even a thing in cybersecurity.
(btw, you should ask Madaidan’s if that article is up to date with the latest AOSP where DownloadManager in fact assumes the “identity” of the caller when executing download tasks, and if their assertions about DownloadManager acting as a “proxy” still hold).
You should also run the app in its own user or work profile to ensure that it cannot abuse third party apps either.
This statement strikes me as odd because if they were familiar with AOSP internals, they’d not have made it.
This is a valid concern, but not as severe… Either ways, starting next version,
v055b that’s due in a week or so, Rethink will tunnel any and all DNS traffic through WireGuard upstreams.
Could you expand on this (be more specifc) for those of us who are not familiar with AOSP internals.
Yeah I’m not sure what to do about apps bypassing network access altogether. I don’t think it’s something we’ll see in the wild much, but then again I could see Google sharing device identifiers via sound to get an idea of which other phones are nearby.
I’m guessing Madaian means that isolating apps that way keeps them from talking to other user installed apps. That would help with compartmentalizing trackers at least.
Also I’m a big fan of your project, I didn’t realize you were here too.
It is an odd thing to say because every installed app is already running in its own user. This is how it has been ever since I started working on AOSP (Gingerbread).
Also, other apps cannot really “abuse” other apps in any meaningful way without breaking the OS sandbox; and if an app is capable of doing so, Work Profile is not a sufficient security boundary.