
Ask HN: If Apple iOS is pro-privacy, how to block Internet access for one app? - walterbell
Is there a way to block iOS outbound traffic on a per-application basis, without jailbreaking the device? This would be useful for preventing data leakage and for limiting spending on mobile data. On Android, apps need permission for network access.
======
rnovak
For mobile-data (LTE/etc) yes, you can go into the "Cellular" section in the
settings and disable/enable using cellular data for any app.

On wifi, not that I'm aware of.

Out of curiosity, what do you mean they need permissions on Android? Up until
the last Android version (Marshmallow), you either gave an app all permissions
or didn't install it. To deny network traffic outside of that you basically
had to have root access (which is functionally equivalent to jailbreaking).

~~~
walterbell
You're right. I saw a non-root app on Android that provided per-app network
permissions, but on second look it's just using a VPN. Thanks for the
correction.

------
therealmarv
I think you're wrong. You cannot block Internet access on Android apps (not
even on 6.0 Marshmallow) unless you're rooted.

~~~
mcintyre1994
They had to ask permission at install though in the old (pre-Marshmallow)
system. That system had many issues but you could just choose not to install
something that requested internet and didn't need it.

Google have gone the same way as Apple with Marshmallow though and apps can
access internet without permission in the new system - INTERNET is a 'normal'
permission automatically granted. [0]

[0] [http://developer.android.com/guide/topics/security/normal-
pe...](http://developer.android.com/guide/topics/security/normal-
permissions.html)

------
pearlsteinj
The short answer is no, not easily. A more elaborate solution would be to
install a global proxy on the device and route the connection through a server
you control, filtering the traffic you don't want to go through. You can use
Apple Configurator to configure the global proxy.

~~~
walterbell
Thanks for the suggestion. That would work for whitelisting, but would block
random web browsing. Or is there a way for the proxy to associate traffic
flows with individual apps, e.g. permit all Safari traffic, block all other
traffic that is not whitelisted?

Could a per-app VPN be used to blackhole app-specific network traffic at the
VPN server? If so, would this need a third-party MDM solution, or could the
native IPSEC client be used?

------
Amir6
On Android, you can install "NoRoot Firewall" to give or deny internet access
to any individual app without rooting your phone.

