Hi Inosh, True that it's the requirement for a true firewall. But when we look into the mobile world, it's Apps which are going to access certain hosts. So blocking such apps from accessing internet will resolve this issue at least to some extent.
To address the problem you are pointing out, Android does not have a standard protocol/APIs exposed. Only way we can achieve such a thing would be by placing the DNS names of the hosts need blocking in device's Hosts table and telling it to resolve to 127.0.0.1 (the loop-back address) where we can prevent those hosts from loading. For that, we have to play with IP tables or etc/hosts file of the device. This requires root privileges. And this is definitely a hack. But it's possible to block sites on google chrome by using Marshmallow device policy manager APIs or any other browser by adding a browser add-on. Thanks On Wed, Mar 30, 2016 at 9:53 AM, Inosh Perera <[email protected]> wrote: > Hi Kasun, > > This is removing internet permission from an app and completely blocking > it from accessing the internet. A firewall means, certain traffic to a > certain host is allowed and to another maybe disallowed. How can this be > achieved? > > Regards, > Inosh > > On Wed, Mar 30, 2016 at 9:34 AM, Kasun Dananjaya Delgolla <[email protected] > > wrote: > >> Hi Inosh, >> >> Refer[1]. >> >> [1] - >> https://github.com/googlesamples/android-testdpc/blob/master/TestDPC_UserGuide.pdf >> <https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fgooglesamples%2Fandroid-testdpc%2Fblob%2Fmaster%2FTestDPC_UserGuide.pdf&sa=D&sntz=1&usg=AFQjCNHpFKQuX3EAThcGXZ7tcQSvYQjHhg> >> >> Thanks >> >> On Wed, Mar 30, 2016 at 9:15 AM, Inosh Perera <[email protected]> wrote: >> >>> Hi Kasun, >>> >>> Could you point me to the Google API doc for this method? >>> >>> Regards, >>> Inosh >>> >>> On Wed, Mar 30, 2016 at 8:46 AM, Kasun Dananjaya Delgolla < >>> [email protected]> wrote: >>> >>>> Hi Inosh, >>>> >>>> I have already used this to create VPN connections. But problem occurs >>>> when trying to block access. >>>> >>>> There's another method in Device policy manager to restrict internet >>>> access (revoke internet permission) from apps. What I suggested is to use >>>> that. >>>> >>>> Thanks >>>> On Mar 30, 2016 8:43 AM, "Inosh Perera" <[email protected]> wrote: >>>> >>>>> Hi Kasun, >>>>> >>>>> App restrictions imply that the app we are trying to block has an app >>>>> restriction profile implemented. AFAIK, currently, this is only >>>>> implemented >>>>> in Google chrome. In that case how do we restrict other applications? >>>>> Just >>>>> wondering is it possible to use this[1] API for VPN >>>>> >>>>> [1]. >>>>> https://developer.android.com/intl/zh-cn/reference/android/net/VpnService.html >>>>> >>>>> Regards, >>>>> Inosh >>>>> >>>>> On Wed, Mar 30, 2016 at 8:13 AM, Kasun Dananjaya Delgolla < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> I have implemented the $subject with VPN. When testing this, I >>>>>> noticed that there are some issues in some devices when blocking the >>>>>> connection. >>>>>> >>>>>> What I do here is, making a local VPN via agent app (needs user >>>>>> permission), and direct other app traffic through this. And detect the >>>>>> app >>>>>> which we wanna block using the package manager and block access with the >>>>>> help of a local service (capable of listening other app connectivity) I >>>>>> have implemented. >>>>>> >>>>>> I have tested this on 2 devices. It worked on one and failed on the >>>>>> other. When I did some further digging, I got to know that some devices >>>>>> are >>>>>> not allowing app traffic blocking. So I believe that this mechanism >>>>>> wouldn't be a global solution. I suggest that we should go with >>>>>> Marshmallow's app restrictions API. As the device owner, we should be >>>>>> able >>>>>> to restrict apps from accessing internet with this. WDYT? >>>>>> >>>>>> Thanks >>>>>> On Mar 23, 2016 11:27 AM, "Dilshan Edirisuriya" <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> IMO the kiosk mode approach is wrong. Kiosk mode solely for use >>>>>>> cases where you have just one single app in foreground such as having a >>>>>>> STB >>>>>>> in airport, when conducting exams etc. Inorder to cater your >>>>>>> requirement we >>>>>>> can go for VPN. But we need support generic VPN types like L2TP, PPTP, >>>>>>> IPSec etc. and to add firewall rules around them. Another thing we can >>>>>>> do >>>>>>> is if they come up with their own enterprise applications, applications >>>>>>> should be able to establish the VPN connection on its own which we call >>>>>>> it >>>>>>> as per app VPN. Either way it has to go towards that approach. >>>>>>> Otherwise we >>>>>>> may have to look for firewall type operations in Android SDK. >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> Dilshan >>>>>>> >>>>>>> On Tue, Mar 22, 2016 at 8:46 PM, Kasun Dananjaya Delgolla < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi Milan, >>>>>>>> >>>>>>>> The scenario you described is anyways covered via blacklisting + >>>>>>>> whitelisting. So as I said before, we should carefully decide on the >>>>>>>> approach to provide the best solution to this. >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>> On Tue, Mar 22, 2016 at 8:05 PM, Milan Perera <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi Kasun, >>>>>>>>> >>>>>>>>> In that case most organizations need to give access only to a >>>>>>>>>> certain app which they would allow the end user to use. We can >>>>>>>>>> achieve that >>>>>>>>>> in Kiosk mode cleanly. Kiosk mode will enable us to enable a *certain >>>>>>>>>> app* in a certain time interval disabling all other apps from >>>>>>>>>> usage. >>>>>>>>>> >>>>>>>>> >>>>>>>>> We cannot assume that an organization will only use "*a certain >>>>>>>>> app*". Because most of the time, they use more than one. For an >>>>>>>>> example, lets say they have in house built enterprise apps which all >>>>>>>>> should >>>>>>>>> be allowed to access network. But enabling only one app as in Kiosk >>>>>>>>> mode >>>>>>>>> will not address the issue. >>>>>>>>> However if we are to use Kiosk mode in that way, then we should >>>>>>>>> have to use some other method like creating a new Launcher App for >>>>>>>>> Android >>>>>>>>> and enable only white-listed apps in the launcher. In that way we can >>>>>>>>> restrict the use of other apps. >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> -- >>>>>>>>> *Milan Perera *| Software Engineer >>>>>>>>> WSO2, Inc | lean. enterprise. middleware. >>>>>>>>> #20, Palm Grove, Colombo 03, Sri Lanka >>>>>>>>> Mobile: +94 77 309 7088 | Work: +94 11 214 5345 >>>>>>>>> Email: [email protected] <[email protected]> | Web: www.wso2.com >>>>>>>>> <http://lk.linkedin.com/in/milanharinduperera> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Kasun Dananjaya Delgolla >>>>>>>> >>>>>>>> Software Engineer >>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>> lean.enterprise.middleware >>>>>>>> Tel: +94 11 214 5345 >>>>>>>> Fax: +94 11 2145300 >>>>>>>> Mob: + 94 771 771 015 >>>>>>>> Blog: http://kddcodingparadise.blogspot.com >>>>>>>> Linkedin: *http://lk.linkedin.com/in/kasundananjaya >>>>>>>> <http://lk.linkedin.com/in/kasundananjaya>* >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Dilshan Edirisuriya >>>>>>> Senior Software Engineer - WSO2 >>>>>>> Mob: + 94 777878905 >>>>>>> http://wso2.com/ >>>>>>> https://www.linkedin.com/profile/view?id=50486426 >>>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Inosh Perera >>>>> Software Engineer, WSO2 Inc. >>>>> Tel: 077813 7285, 0785293686 >>>>> >>>> >>> >>> >>> -- >>> Inosh Perera >>> Software Engineer, WSO2 Inc. >>> Tel: 077813 7285, 0785293686 >>> >> >> >> >> -- >> Kasun Dananjaya Delgolla >> >> Software Engineer >> WSO2 Inc.; http://wso2.com >> lean.enterprise.middleware >> Tel: +94 11 214 5345 >> Fax: +94 11 2145300 >> Mob: + 94 771 771 015 >> Blog: http://kddcodingparadise.blogspot.com >> Linkedin: *http://lk.linkedin.com/in/kasundananjaya >> <http://lk.linkedin.com/in/kasundananjaya>* >> > > > > -- > Inosh Perera > Software Engineer, WSO2 Inc. > Tel: 077813 7285, 0785293686 > -- Kasun Dananjaya Delgolla Software Engineer WSO2 Inc.; http://wso2.com lean.enterprise.middleware Tel: +94 11 214 5345 Fax: +94 11 2145300 Mob: + 94 771 771 015 Blog: http://kddcodingparadise.blogspot.com Linkedin: *http://lk.linkedin.com/in/kasundananjaya <http://lk.linkedin.com/in/kasundananjaya>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
