An app can use the VPN API to intercept network traffic. This is all done with plenty of security popups (one to inform you an app is trying to register as a VPN, the another popup when it's first activated, and the while it's active there's a permanent notification that says "your connection may be monitored" with a quick button to kill the VPN).
The API is supposed to let apps do things like "route intranet/corporate app traffic over a VPN, let other traffic go through", but you can just as easily use it to drop traffic destined for certain addresses (such as ad servers), or to drop all traffic for specific apps. It's also possible to make decisions like "let this app connect to the internet on wifi but not on data".
It should be noted that system applications (phone OS, Google, sometimes carrier apps) can bind to specific network interfaces bypassing this API entirely. This means you can't use this API to 100% block internet access to preinstalled apps, even though apps will need to explicitly implement networking code to bypass such firewalls.
It should be noted that Google doesn't really like apps abusing the VPN API like this, in past because of the massive privacy risk. Google cut a bunch of these apps from Google Play, though there's not much they can do about APKs you download from F-Droid or github.
> should be noted that Google doesn't really like apps abusing the VPN API like this
Not really.
Only apps that use the VpnService and have VPN as their core functionality can create a secure device-level tunnel to a remote server. Exceptions include apps that require a remote server for core functionality such as:
- Parental control and enterprise management apps
- App usage tracking
- Device security apps (for example, anti-virus, mobile device management, firewall)
- Network-related tools (for example, remote access)
- Web browsing apps
- Carrier apps that require the use of VPN functionality to provide telephony or connectivity services.
> It should be noted that system applications (phone OS, Google, sometimes carrier apps) can bind to specific network interfaces bypassing this API entirely
Whilst this is true for Android (connectivity checks bypass VPNs, as do VoWiFi and Hotspot traffic) [0], other OSes are known to do the same thing: https://news.ycombinator.com/item?id=24838816
Their official policy (can't find the up-to-date link because Google's documentation bitrots faster than any other website on the net) over at https://archive.is/OPg2g clearly stated:
The VPNService cannot be used to:
•Collect personal and sensitive user data without prominent disclosure and consent.
•Redirect or manipulate user traffic from other apps on a device for monetization purposes (for example, redirecting ads traffic through a country different than that of the user).
•Manipulate ads that can impact apps monetization.
Google has also removed/threatened to remove prominent firewall VPNs for bullshit reasons (claims that apps violate random policies), though that may just as easily be random Google bullshit fallout every Android developer needs to deal with.
> Whilst this is true for Android (connectivity checks bypass VPNs, as do VoWiFi and Hotspot traffic) [0], other OSes are known to do the same thing: https://news.ycombinator.com/item?id=24838816
You're right, of course. Unless you own the kernel on every SoC running on your system (including the modem), you should always assume there's a possibility of network traffic leaking through firewall APIs.
On Android specifically, though, there is a significant chunk of users that will want to restrict the built-in apps because carrier-installed apps or shady Chinaware that come with cheap phones cannot be disabled by default. Other platforms usually don't have this type of malware baked into the OS in a way that cannot be removed. Apple's questionable privacy decisions are a lot less worse than what some people try to block with these firewalls.
> Google has also removed/threatened to remove prominent firewall VPNs for bullshit reasons (claims that apps violate random policies) ...
I co-develop one such open source "firewall app" for Android, and you're right that apps like ours have been previously removed for blocking ads out-of-the-box. But, removals also happen due to stricter rules/policies that apply to apps using VPN APIs.
Note that, of late, many a popular apps ad-blocking out-of-the-box (like the DuckDuckGo browser with app tracking protection) haven't been removed.
> Unless you own the kernel on every SoC running on your system (including the modem)
I get your point but don't think even a rooted (supervisor) Kernel gets you much guarantee as there always could be a higher privileged hypervisor controlling it.
> Apple's questionable privacy decisions are a lot less worse
They've improved post Celebgate yeah, but the duality is such that... Apple is one of the largest buyers of user data aka "market intelligence" (per folks I know who work in this domain) that (presumably) these other shady apps collect.
No, not generally. A firewall app could include an OpenVPN/WireGuard/etc. client to serve both purposes, but by default you'll have a hard time getting more than one VPN app to work at the same time.
https://netguard.me/