NetGuard – rootless Android outbound per-app OSS firewall, like LittleSnitch

Original Article ↗ Hacker News Discussion ↗

Overview of NetGuard Use and Value

  • Many users report long-term use and consider NetGuard worth paying for, especially on de-Googled or repurposed devices.
  • It’s appreciated for per-app outbound control, notifications on new connections, and the visibility it provides into app behavior.
  • Some use it even on OSes that already have network toggles for the better UX and host-based blocking.

How NetGuard Works and Its Limitations

  • Implements a firewall via Android’s VPN API, so:
    • No protection during early boot.
    • Only one “VPN” at a time, so it conflicts with regular VPNs (WireGuard, Tailscale, commercial VPNs) unless complex workarounds are used.
  • Some functionality (detailed stats, PCAP export, some UI extras) requires a paid license; price visibility is criticized.
  • F-Droid build can see all apps; Play Store build is restricted.

Alternatives and Comparisons

  • Non-root Android firewalls / blockers mentioned: RethinkDNS, Blokada, GlassWire, Karma Firewall, Pcapdroid, TrackerControl, AdGuard.
  • Rooted alternatives: AFWall+, AdAway, disabling ad/tracking components with tools like AppManager.
  • RethinkDNS is highlighted as combining DNS/app firewall with per-app WireGuard and multi-VPN routing, but some see its frequent promotion as spammy.
  • AdGuard can do HTTPS inspection with a system cert (root required) for more granular filtering.

OS-Level Firewalls and Custom ROMs

  • GrapheneOS has a first-class “Network” permission per app and is seen as more robust than LineageOS’s implementation.
  • LineageOS and IodéOS offer per-app network controls; IodéOS also bundles adblocking.
  • Some argue that with strong OS-level controls, NetGuard is less essential, though still useful for host-level blocking and monitoring.

Privacy Revelations from Firewalls

  • Users are often shocked by how many apps phone home in the background, including at night and when unused, often to multiple analytics/ads endpoints.
  • NetGuard and Pcapdroid logs have led people to uninstall apps (including health/pill reminders) or block them via a firewall.

Battery, Performance, and Usability

  • Experiences differ: some see 5–10% extra drain; others argue VPN-based apps are misreported and real overhead is small.
  • RethinkDNS in full logging mode was reported at 15–20% battery on one device; its developer claims newer versions and DNS-only mode are much lighter.

iOS Situation

  • Thread consensus: iOS lacks general per-app firewall APIs; only VPN-style or MDM-based per-app VPN is possible.
  • Tools like Lockdown, AdGuard, Shadowrocket, Proxyman, and Apple’s App Privacy Report help somewhat but don’t match Android firewall flexibility.

Critiques of Android’s Design

  • Multiple comments lament that stock Android has no user-facing per-app network permission or official firewall API, interpreting this as favoring data collection.
  • Others note Linux has strong kernel-level firewalling, but no similarly clean, app-centric interface is exposed on Android.