Do you know who your Android phone is talking to? It’s not just sending and receiving emails, texts, and WhatsApps.

Research has found even Android devices sitting unused on a table contact Google around 900 times a day, and most apps you install are recording and sending information about you and your habits on a daily basis.

A firewall can help you reign in this snooping, and the best Android firewall app is AFWall+. Here's how to set it up.

What is AFWall+?

AFWall+ is a free and open-source firewall client for rooted Android devices. It gives you control over which apps can connect to the internet and what connections they can use. You can download AFWall+ from the Play Store.

The first time it runs, AFWall+ will ask for root access. Without root, the firewall won't be able to work. See here for our guide to rooting your phone to get set up.

A Guide to AFWall+ Preferences

Apps with internet access are displayed as icons on the left with their names on the right; in between are three columns of empty boxes. By default these columns list LAN, Wi-Fi, and mobile internet connections. The boxes allow you to select if an app can use a certain connection.

First, let's set some preferences to unlock AFWall's+ full potential. To find all these preferences, tap the three-dot icon on the top right to bring up the main menu, select Preferences, then choose your option.

first-screen-afwall-2
Main menu AFWall+
preferences-menu-afwall

UI Preferences

To enable easy differentiation between core, system, and user apps, tap on the Show filters box. Select the Show UID for apps box to see the unique identifier number for your apps. By checking Confirm AFWall+ disable, this sub-menu also allows you to enable a warning if AFWall+ is deactivated as a security measure.

Rules/Connectivity

Here, you can enable extra connection controls for roaming, LAN, VPN, tethering, and Tor by checking their boxes. We do not recommend changing the iptables chains settings unless you are familiar with iptables.

Rules connectivity selected AFWall+
Connection control options AFWall+
IP4 and IP6 chains options AFWall+

Log

Tap Turn on log service. This is useful for checking AFWall+ is working and for troubleshooting. You can also tap Enable show toasts to get a notification every time a connection is blocked, although these can quickly become annoying.

Turn on logs AFWall+
logscreen AFWall+
Blocked conection toast AFWall+

Security

Here you can set a password, pattern, or fingerprint to prevent malicious apps or people interfering with the firewall. Activate stealth mode to hide the pattern as you enter it, and specify the maximum attempts allowed before the app closes itself.

Experimental

While you don't need to go beyond the basics to get AFWall+ working well, the Experimental options give you even more precise control:

  • The Startup delay is useful if AFWall+ fails after a reboot.
  • During boot, some apps may upload data before AFWall+ has a chance to implement its rules. Check Fix startup data leak to allow AFWall+ to attempt to prevent this.
  • If more than one person uses your device, check Enable multi-user support to activate AFWall+ for other accounts.
  • Utilities like Shelter permit you to sandbox apps or run cloned versions. Checking Dual apps support enables AFWall+ to control connections for cloned apps separately from the main versions.
  • You may have apps that require LAN connections such as Samba or AirDroid. Check Enable inbound connections if you find yourself having problems communicating with other devices on your network.

Related: Can I Control My Android Phone From My Computer?

Profiles

AFWall+ lets you set profiles with custom app connections to use in different scenarios. For example, you could set up a profile specifically for use when tethering your device to use as a hotspot. Alternatively, you could set up profiles to allow or block all apps when activated.

Manage profiles menu AFWall+
Name profile tethering AFWall+
AFWall widgets

If you put AFWall+ widgets on your home screen, these profiles will be just one or two taps away.

How to Stop Android Apps Connecting to the Internet

On the main screen of AFWall+, you'll now see some new features thanks to the preference settings you changed.

Above the connection controls, there's a filter that allows you to view all apps, or display only core apps, system apps, or user apps. This is useful for determining the intensity of your blocking policies and for troubleshooting.

Additionally, the connection bar shows controls for roaming, VPN, and Bluetooth/USB tethering.

User apps filter AFWall+

By default, AFWall+ blocks everything and allows only apps you have specifically selected to use a connection. However, you can easily toggle between Allow selected and Block selected by tapping on the three-line icon with the tick beside it, found on the top right of the screen after the magnifying glass.

To allow an app to connect to the internet simply tap on the checkboxes for all the connections you want it to access.

Our first example below shows Firefox Lite with access to Wi-Fi, VPN, and tethering allowed but with LAN, mobile internet, and roaming blocked. This sort of setup is useful if you want to save money on your data connection while abroad.

Selected connections AFWall+

In the next case, there are two versions of WhatsApp. The first entry is the normal installed version and the second, with (M) after its name, is running in a work profile in Shelter. In this case, the sandboxed clone has access to all connections and the original installation is blocked.

Allow selected dual apps AFWall+

In the third scenario, Slack connects only through VPN. This might be useful if you want to make sure your business apps are not using unsecured connections.

Slack vpn enabled AFWall+

How to Enable the Firewall

Now that you've set some rules, you can save and enable your Android firewall.

Tap on the three-dot menu on the top right, then tap on Save, and finally Enable firewall. You'll see a confirmation message, then the firewall should be active. There's no need to reboot. You can alter your settings at any time and tap on Apply to update the firewall rules.

Tools for Dealing With Apps in Bulk

If like us, you have a lot of apps on your device, AFWall+ offers plenty of ways of managing them in addition to the filters and the fast search box.

If you tap on the three-line icon beside the three-dot menu you can choose to sort apps by name, install or update time, or by UID.

If you want to permit all apps to use one of the connection types or block all, tap on the connection icon to bring up the menu in the second image below which enables you to check, uncheck or invert the status of all apps in the column.

Tapping on the three gear wheel icon at the end of the connections bar makes it possible to invert the status of all apps in every connection column.

Order apps by name date uid AFWall+
Check invert uncheck all menu AFWall+
Invert clear clone menu AFWall+

Another feature lets you clone the configuration from one column to another column. For example, you might want to clone the status of all apps from the VPN column to the Tor column. This menu also allows you to clear checkboxes for every app at once.

What Should You Block?

So, what can you safely block and still have a functioning device?

Depending on your needs, it's possible to block everything apart from apps that have a definite reason to connect to the internet such as your browser, email, or instant messaging programs. However, such a setup may be too extreme for everyday use.

Most people should probably allow network access for Google Play-services, Downloads, Media Storage, and Download Manager. For reference, the AFWall+ team has put together a handy guide to the mysterious world of system apps and which ones you can safely block from the internet.

AFWall+ Puts you in Control of Your Phone

With every Android app being able to access the internet without restrictions, a firewall is an essential tool for both security and privacy.

AFWall+ has been around since 2012 and is a mature and powerful security solution. It should be a standard app on every rooted phone or tablet. If you haven't rooted your device, AFWall+ is one very good reason to consider taking the plunge.