- Google will add a bunch of commits merged with AOSP.
- The Restricted Networking Mode is a firewall chain for select apps.
- The feature is available for a few OEM-signed device applications.
There’s still a lot we don’t know about Google’s next big OS update. The first Android 12 Developer Preview will go live next month. Given that the majority of Android 12’s codebase is not public, digging through the Android Open Source Project can only reveal so much. Still, the signs of new Android features in AOSP often, but they’re just not really exciting. Restricted networking mode is the name of the new feature. It does not have the configurable firewall expected, but it has some interesting consequences.
Restricted Networking Mode
The new restricted networking mode function defines a handful of commits merged with AOSP. Google developed a new firewall chain to enable restricted networking mode. It is a collection of rules enforced by the Linux iptables utility to allow or block network traffic. However, only the apps with ‘CONNECTIVITY_USE_RESTRICTED_NETWORKS’ permission are allowed when the mode is turned on.
Only the privileged OEM-signed device applications and/or applications have the permissions for this mode. The network access would be blocked for all user installed applications. However, users will still receive push notifications from apps using Firebase Cloud Messaging (FCM). Google Play Services app routes these notifications through the privileged server. It holds the required permissions. But no other app (excluding a handful of other system apps) can send or receive data in the background.
Upcoming Android 12 Feature
It is still unknown where Google would put a toggle for restricted networking mode in Android 12. shell command can toggle and programmatically query the restricted mode at runtime. Just like the Data Saver function of Android. But it’s not known if Google plans to allow users to build their own app allowlist/blocklist. Google can add a user-facing settings page to limit internet access on a per-app basis. This way, users would not have to rely on apps such as NetGuard that use the VPN API of Android. There is nothing wrong with the way these apps function, but bad OEM software can easily end them.