Android comes with a basic firewall support and it is exposed via Setting's Data Usage. The setting is meant to fine tune network access settings, enable/disable background data in Mobile networks, enable/disable data roaming. Network access by background process (background data) can be controlled either for the entire device or per application basis. So how is this achieved and how can this be used for other purposes?
Android's NetworkPolicyManager is the entry point for Settings app. Settings app being an system application has the permissions to request changes. Besides, NetworkPolicyManager is hidden from the SDK too. Settings app uses APIs like setRestrictBackground, setUidPolicy. In Android world each and every application has its own uid and this is picked up by settings and passed on to the framework via setUidPolicy. From here on, NetworkPolicyManager routes the request to Framework's network policy manager service, which routes the request to a management service. This Management services uses Android's Native Daemon Connector to communicate with another native service, netd (/systm/bin/netd). Network daemon subsequently forks another process (/system/bin/iptables) to update the IP table entries. iptables is the standard linux process with options to append, insert or delete entries. Each entry has its own set of matching conditions and an appropriate action.
In the above case where in the background data is disabled for youtube, it basically translates into the following command,
/system/bin/iptables -I bw_penalty_box -m owner —uid-owner uid --jump REJECT
A rule is inserted by Bandwidth controller to REJECT all traffic which is originated from the process with the specified uid. Note that the traffic isn't just being DROPed instead is REJECTed and this gives the source some kind of feedback as to why the network access is not being serviced. Android supports both IPv4 and IPv6 and uses a different binary version of iptables for IPv6.
Now what can be the other potential use of this privilege? A network service provider could work with OEMs and just update the default logic in the platform to REJECT traffic for all 3rd party applications and grant access only for core process like Framework, and other applications. The motivation is just financial where in say access is granted only for a Music application like Beats music and Beats music in turn could pay for the data cost and users basically pay for their Music subscription and not for the network data plan. Network could be accessed only as long as the music subscription is active and there is hardly any use of the application without a subscription (even though Android still would allow data pass through).
Android's NetworkPolicyManager is the entry point for Settings app. Settings app being an system application has the permissions to request changes. Besides, NetworkPolicyManager is hidden from the SDK too. Settings app uses APIs like setRestrictBackground, setUidPolicy. In Android world each and every application has its own uid and this is picked up by settings and passed on to the framework via setUidPolicy. From here on, NetworkPolicyManager routes the request to Framework's network policy manager service, which routes the request to a management service. This Management services uses Android's Native Daemon Connector to communicate with another native service, netd (/systm/bin/netd). Network daemon subsequently forks another process (/system/bin/iptables) to update the IP table entries. iptables is the standard linux process with options to append, insert or delete entries. Each entry has its own set of matching conditions and an appropriate action.
In the above case where in the background data is disabled for youtube, it basically translates into the following command,
/system/bin/iptables -I bw_penalty_box -m owner —uid-owner uid --jump REJECT
A rule is inserted by Bandwidth controller to REJECT all traffic which is originated from the process with the specified uid. Note that the traffic isn't just being DROPed instead is REJECTed and this gives the source some kind of feedback as to why the network access is not being serviced. Android supports both IPv4 and IPv6 and uses a different binary version of iptables for IPv6.
Now what can be the other potential use of this privilege? A network service provider could work with OEMs and just update the default logic in the platform to REJECT traffic for all 3rd party applications and grant access only for core process like Framework, and other applications. The motivation is just financial where in say access is granted only for a Music application like Beats music and Beats music in turn could pay for the data cost and users basically pay for their Music subscription and not for the network data plan. Network could be accessed only as long as the music subscription is active and there is hardly any use of the application without a subscription (even though Android still would allow data pass through).
No comments:
Post a Comment