Fyrypt

Android firewall with UID + PID rules, dnscrypt-proxy management, and per-app live network monitoring

Fyrypt is pronounced as fire-ept (/ˈfaɪɹɛpt/).

Download:

👉 Attention:

$${\color{red}\textbf{ROOT}}$$ is required. Your device must be rooted. ADB is supported only if adb root works.
Enabling firewall without proper configuration blocks all network access. You may lock yourself out in case of remote access. Fyrypt itself won't be able to get root access if local network access is denied.

Contents:

Terminology
UID Firewall
- Apps view
- UIDs view
PID Firewall
Firewall management
DNSCrypt (dnscrypt-proxy)
Logs
Notable
Limitations of Fyrypt
More
Why Fyrypt connects to ...?
Permissions
Screenshots
Contact us

Terminology

PID: process identifier. Every program or app we run is assigned a unique PID by the core Android operating system (Linux kernel). Processes continuously running in background are called daemons or services.
UID: user identifier. It's a number assigned to processes running on UNIX-like systems (which includes Android). Multiple apps / processes can share a UID. Usually on desktop systems all apps / processes started, and files created by a human user are assigned a unique UID. It adds isolation between users. On Android, however, each app is assigned a unique UID.
Firewall: is a software or hardware which controls the network activity. Linux / Android kernel has a built-in firewall named NetFilter which can be configured using iptables tool.
Server: a computer (or a process running on a computer) which provides a specific service to other computers (or processes on the same computer). Websites are a common example. They are hosted on computers called web servers. When we "open" a website, we connect to its web server to fetch the required information or data.
IP: internet protocol. It's the language computers use to talk to each other on internet. Servers on internet have unique numbers assigned called IP addresses. When a client connects to a server, the former uses the IP address of the later to reach it.
DNS: domain name system. Addresses of websites we are familiar with are called domains. They are easy to remember. But networks use IP addresses to identify clients and servers. IP addresses, being numbers, are difficult to remember. So DNS is an active system on internet which maps domains to IP addresses. When we need to access a domain, we first request a DNS server to translate the domain to its IP address. DNS server are accessible at fixed IP addresses.
dnscrypt-proxy: it's an intermediary DNS server process which we run on our device. It encrypts the DNS queries before sending them to a DNS server on internet. The old plain (unencrypted) DNS queries are easily intercepted by Internet Service Providers (ISP) and governments. Encrypted DNS adds a layer of privacy. In this document we use DNSCrypt (which is also an encryption protocol) to refer to dnscrypt-proxy.
Private DNS: Android's encrypted DNS. Then why we need to use dnscrypt-proxy? Because Private DNS is not much configurable. For instance, you can't block an unwanted list of domains. Also, Private DNS talks DoT protocol which uses a dedicated port (853), easily identified.

UID Firewall

Using owner extension of Linux iptables, packet filtering can be done based on the UID of the originating process. Android apps have unique UIDs. So define rules. And leave the rest to the kernel.

Fyrypt's UID firewall (main) screen has 3 views:

Apps view

All apps with the INTERNET permission are listed here. Items can be filtered and sorted by different parameters.

UIDs view

Here we define UIDs other than those assigned to the apps. Some common UIDs used by Android framework are predefined. For instance, you may like to whitelist AID_NETWORK_STACK (UID 1073), AID_MDNSR (UID 1020) and AID_DNS_TETHER (UID 1052) for Android's network stack to function normally. AID_SHELL (UID 2000, package com.android.shell) might also be required for wireless ADB to work. "Kernel" is a special case. Packets generated by the kernel have no UID.

Swipe right a manually added UID to delete it.

Live view

It's the result of previous 2 configurations. Any running apps or processes which have been unblocked appear here. Note that this list does not include the apps or processes which have been unblocked due to the custom-defined rules.

In Apps and UIDs view, there are 2 options (checkboxes) for each UID:

Whitelist / unblock the app / UID
Notify when the app / UID is blocked

There's also a configuration screen to manually add firewall rules. Say you want to allow an app to access only certain ports. Define a rule like -m owner --uid-owner <UID> -m multiport --dports 20:22. Note that the table, chain and target are not specified. They are injected automatically. In the same way, rules can be defined based on source / destination IP, interface name etc.

You can learn more about iptables from any Linux resource.

Note that if multiple apps have same UID, they are blocked / unblocked together.

PID Firewall

What if multiple processes are running with the same UID? For instance, a number of processes are running with root (UID 0) on Android devices including the ADB daemon adbd. You may want to block all but not the adbd. It's not possible with UID-based firewall. It either blocks, or unblocks all.

A solution is PID-based firewall. The way it works in Fyrypt, it's not available on all devices. Your kernel must be built with cls_cgroup and xt_cgroup support (config options: NET_CLS_CGROUP, CGROUP_NET_CLASSID and NETFILTER_XT_MATCH_CGROUP). Here is a sample project. iptables binary must also be built with the cgroup support. You can download it from here.

Fyrypt's process firewall screen has 3 views:

Processes view

Select processes by name. Any processes with the same name and UID are unblocked as soon as they start (within a few seconds). Very short-lived processes which need connectivity immediately after being started, like ping, may not work (see the difficulties and troubles of process tracking; unavailability of proc_events and unusability of audit on Android).

Services view

Select Android's init services by name. A service with the same name is unblocked as soon as it starts (within a fraction of a second).

Live view

It's the result of previous 2 configurations. Any running processes which have been unblocked appear here. If a unblocked process starts child processes, they are also unblocked by default. So they also appear here. You can manually block / unblock processes here. These preferences are not remembered.

So, for the example given above, if you want to unblock the adbd process (but not other root processes), whitelist the service named adbd. Another service netd - responsible for DNS queries - also runs with root. You may also unblock it (if not using dnscrypt-proxy). But beware that netd also proxies connections other than DNS queries. So unblocking it may also unblock other apps.

Similarly, many apps on Android devices are running with the system UID 1000, including the bloatware added by the OEM. If you want to keep them blocked but allow the core Android framework to connect to the internet, you can unblock the system_server or com.android.settings process.

And so on.

Firewall management

Note that a process or an app is unblocked if it's whitelisted by UID, or PID, or both.

Blocking Groups

Add apps, UIDs, processes and services to a group. And then block / unblock the whole group. Long press an item to add/remove it to/from a group. Swipe right a group to delete it, or a group member to remove it from the group. Long press a group to rename it.

New app notify

When firewall service is active and an app is installed which has INTERNET permission, you see a notification to block or unblock the app.

Visible app unblocking

Firewall service notification shows a button to unblock the foreground app which is visible on screen (provided that it has INTERNET permission and is blocked). If you unblock the app, it remains unblocked as long as you are using it. After being closed, Fyrypt blocks the app after 30 seconds (configurable in Settings).

If the app is part of a

Fyrypt

Install / Use

README

Fyrypt

Terminology

UID Firewall

Apps view

UIDs view

Live view

PID Firewall

Processes view

Services view

Live view

Firewall management

Blocking Groups

New app notify

Visible app unblocking

Related Skills