[APP][4.0.3+ & GB][XPOSED] LightningWall

[defim]

Xposed app firewall.

This app is an firewall for the installed apps. Only apps with permission "android.permission.INTERNET" are
shown. IPv4 and IPv6 are supported together with TCP and UDP. You could configure outgoing and incomming
connections independent from each other.
The rules could be applied for each network: W-Lan, local network, mobile, roaming, unknown.
Logging is configurable for incomming/outgoing and allowed/denied connections.

Colors:

• Blue: Template is used.
• Yellow: Custom settings.
• Green: The app is trusted.
• Red: The app is blocked.

Features:

• No iptables required, the kernel doesn't need to support it.
• The firewall is active when Android starts, no startup data leak.
• The rules are always active, no re-apply on connection change is needed.

Limitiation:

• Host names in the log file are PTR entries.
• Works only for Android (Java), not the native (Linux) part

Donation:

• No self-promotion in the app.
• You could trust or block an app (Menu/ActionBar)
• You could use a template for not configured apps
• Additional (experimental) networks: Bluetooth, WiMAX, Ethernet
• Tasker support, per App
• You support this app and further development!

Permissions:

• ACCESS_SUPERUSER: apply iptables rules

This app does not connect itself to any websites or hosts!

Important:
This app needs the Xposed Framework. The framework requires root access for installation. Don't forget to enable the module in Xposed. You can grab it here: Xposed Installer

Website: http://tinyurl.com/l5bpv23
Play Store: http://tinyurl.com/ome2pvc
Xposed Repository: http://tinyurl.com/ksc6plz
Changelog: http://tinyurl.com/n8gsqja

Why this app? No firewall for Xposed exists yet

Translation:
You could find here a interface to translate the english strings: http://tinyurl.com/okycacj
A free account of www.oneskyapp.com is required to edit. Additional, please attach your email address or send it via PM

 

[shivadow]

Insane.. I was looking for something like this about 12 hours ago.. its almost like you read my mind and made it just for me!.

I like your style. Nice and simple and keeping it in line with your others.

Sent from my GT-I9300 using Tapatalk

 

[greatdaneduke]

Downloading now.

Sent from my SCH-I535 using XDA Premium 4 mobile app

 

[defim]

Insane.. I was looking for something like this about 12 hours ago.. its almost like you read my mind and made it just for me!.

I like your style. Nice and simple and keeping it in line with your others.

Sent from my GT-I9300 using Tapatalk

Maybe you head me thinking loud 6 weeks after starting this app: "i will release today, if there are still error, i'll fix them later"

 

[an0n981]

Am I correct in assuming this is not open source?

 

[defim]

I got a question about incoming/outgoing connections, maybe somone else want to know:
Incoming connections are used by less than 1% of all apps. This is used if the app is a "server", like BubbleUPnP. So most time incoming conections could be blocked, i think for mobile network 100%.
An outgoing connection is like a phone call: You call someone (outgoing connection), and can talk (send "data") and hear (receive "data")

Wifi Internet and Network:
If you want to control eg your local tv-receiver, xbmc device or avm router (with FreetzMobil), only connections to the local network are required. This prevents app to send data to the internet.
The "local network" are all "private" IPv4 and IPv6, they will not be forwarded by internet routers. Additionally, if you use "public" IPs they are local if it is in the same subnet as a ip of your device. Uncommon for IPv4 usage, but public IPv6 are the common usage (public IPv6 for every device)

Am I correct in assuming this is not open source?

As usual i send source only to people i know

 

[an0n981]

I took this mod for a quick test drive, a little feedback:
-Is it not possible to restrict kernel?
-Could it be that apps that use native libraries to connect to the internet cannot be restricted? Firefox and Mega (both use native libraries) were able to connect even when completely restricted.
Also a little cosmetic issue com.android.process.gapps showed completely green at all times. However restrictions were applied properly

 

[defim]

I took this mod for a quick test drive, a little feedback:
-Is it not possible to restrict kernel?
-Could it be that apps that use native libraries to connect to the internet cannot be restricted? Firefox and Mega (both use native libraries) were able to connect even when completely restricted.
Also a little cosmetic issue com.android.process.gapps showed completely green at all times. However restrictions were applied properly

Yes, see OP: "Limitiation: ... no native binaries." This is because the design of Xposed
Isn't it "com.google.process.gapps"? Onyl this one app has the wrong colors? Has it a green dot for "trusted app"? What did you configured for it?

 

[an0n981]

Yes I meant com.google....
I set it from template to custom, blocked everything, however in the app overview it still showed as all green. When it was restricted GCM was blocked and the log showed blocked connections to mtalk.google.com:5228. Then I unrestricted outgoing mobile and wifi and GCM was available and the log correctly showed allowed connections but the colors in the app overview didn't change

 

[defim]

Version 1.0.1 uploaded
- fix "incoming" thx @w0rinal
- also an error related to coloring, @an0n981 can you check if it fixes your problem? Toggling options could be required

 

[an0n981]

- also an error related to coloring, @an0n981 can you check if it fixes your problem? Toggling options could be required

Sorry the bug is still present
Also 1 more questions. Do you see any problem running this along side AFWall?

 

[an0n981]

The bug affects any app that starts end ends with <>. <android.media> and <org.mozilla.firefox.sharedid> also always revert back to displaying completely green once the app is reloaded

 

[defim]

Also 1 more questions. Do you see any problem running this along side AFWall?

No, should work without problems. The one created iptables rules other hooks the connection methods - if one fails, the other does it

The bug affects any app that starts end ends with <>. <android.media> and <org.mozilla.firefox.sharedid> also always revert back to displaying completely green once the app is reloaded

The "<>" entries are not real apps (.apks) with a package name, they are uids. At app start i load all installed apps with internet-permission and hide apps which are no more installed / have not any longer the permissions -> the uid items are not in the list of installed apps (obviously)
Will be fixed in next release
EDIT: Uploaded

 

[jaibar]

This is awesome ?



A few questions:

- is there a way to edit template? I couldn't find it anywhere in settings- am I missing something?

- Can you add multiple selection? For example, someone has lots of apps and wants to block roaming to them etc. etc. without having to change it manually for each app.

- filtering or sorting apps? perhaps something simple like the way afwall , or a more thorough filter like XPrivacy has?

Sent from my Nexus 5 using Tapatalk

 

[an0n981]

The "<>" entries are not real apps (.apks) with a package name, they are uids. At app start i load all installed apps with internet-permission and hide apps which are no more installed / have not any longer the permissions -> the uid items are not in the list of installed apps (obviously)
Will be fixed in next release
EDIT: Uploaded

Confirmed fixed

 

[defim]

This is awesome ?



A few questions:

- is there a way to edit template? I couldn't find it anywhere in settings- am I missing something?

- Can you add multiple selection? For example, someone has lots of apps and wants to block roaming to them etc. etc. without having to change it manually for each app.

- filtering or sorting apps? perhaps something simple like the way afwall , or a more thorough filter like XPrivacy has?

Sent from my Nexus 5 using Tapatalk

The template is used for all "blue" apps, which where are not configured by user. Modifying template is part of the donator options (see OP).

Btw, next planned feature: detection of VPN connections

 

[mermaidkiller]

The template is used for all "blue" apps, which where are not configured by user. Modifying template is part of the donator options (see OP).

Btw, next planned feature: detection of VPN connections

Nice feature !
I dry tested this app (i.e. not checked in the Xposed module on my device) and already saw that the VPN was missing. Now I use AFWall+ which is good and has more profiles. I block all Google apps with it with a 'limited internet' profile and every time I download something from Play, I load another profile which allows 'Google Play services' and 'Google Play store' internet connection and after download/update I revert to 'Limited internet'.

On my Mac I have 'Little Snitch' firewall which has the ability to let it prompt for certain apps which I don't want to be connected permanently (such as the Mac App Store), but only when I do e.g. an OSX update. In that case I let it prompt and say 'only this time'.

A similar approach on LightingWall should be very welcome. E.g. a notification that the Play store wants to connect with internet and when one wants to download / update an app, say 'only this time' and not permanently.

 

[banderos101]

Nice feature !
I dry tested this app (i.e. not checked in the Xposed module on my device) and already saw that the VPN was missing. Now I use AFWall+ which is good and has more profiles. I block all Google apps with it with a 'limited internet' profile and every time I download something from Play, I load another profile which allows 'Google Play services' and 'Google Play store' internet connection and after download/update I revert to 'Limited internet'.

On my Mac I have 'Little Snitch' firewall which has the ability to let it prompt for certain apps which I don't want to be connected permanently (such as the Mac App Store), but only when I do e.g. an OSX update. In that case I let it prompt and say 'only this time'.

A similar approach on LightingWall should be very welcome. E.g. a notification that the Play store wants to connect with internet and when one wants to download / update an app, say 'only this time' and not permanently.

Xprivacy implements a similar thing, allowing the user to be informed when one of the restrictions are asking for access of that permission, including internet permissions(no distiction between lan or vpn), i would also welcome an on demand prompt feature for this app, its one faeture i wished afwall had, but believe it cant because of the nature of iptables i believe,
Saying that im also kinda worried that this might conflict, two apps essentially fighting for control to "pause" the system, hope im wrong, maybe if the two devs of the two respective apps co-orporated in implementation,it might be resolved, if there is an issue, i dont know........... but im getting ahead of myself here, defim has not even stated that he'll implement this, still, no harm in discussing possibilities, slim or not

 

[defim]

@banderos101 @mermaidkillerIf you want to be informed if an app is allowed or denied to access some hosts, you could get it with Tasker. Just with a simple message box or more enhanced things Tasker can do. It should not be a problem using this app wiht Xprivacy, AFwal etc. If you block a connection with one app, it could be that the others can't see/log it. This depends on the order of the apps, An iptables firewall should be the last the connection is passing.
A per host filter is not planned, if you want to stop connection to some (tracking, malwar, adware) hosts a hosts file filter could be used, like my UnbelovedHosts

 

[hackel]

As usual i send source only to people i know

Too big a risk to take for security software like this. Post your work up on Github under a reasonable license.

I'm not seeing a big advantage over the GPL AFWall+ anyway.