Most people nowadays have their whole lives on their phones. They will look at their e-mails, watch videos, do all their shopping, write all their personal thoughts all on the one device. With all the processes running on the device, there are, naturally, many outgoing connections that are potentially hostile towards the user. These additional connections will also drain the device battery without benefiting the user.

While the easiest way to deal with unwanted outgoing connections is to simply not use apps that behave in this way or find alternatives, the average person simply doesn’t care or have the understanding of why it’s important to have these connections under control which means the apps must be “sanitised” as best as possible.

This post focuses on Android as I’m not too famliar with iOS equivalents. Many of the configurations can probably be replicated but it is up to the reader to adapt them for iOS devices.

Considerations

Threat models

This is a given when talking about anything privacy or security related. Since this is about both you and some one else, the threat models of both parties need to be considered. Some people reading this might care about data aggregators and will take lengths to minimise all the trackers built in the apps their loved ones use. Others might only care about family photos being uploaded wiithout consent to cloud services or social media platforms like Instagram.

The girlfriend test

When you mess with other people’s device, you will be blamed when things break. (Sometimes, you will be blamed when it isn’t even your fault.) Unless they’ve made it clear that they’re willing to take responsibility for the changes, anything you do on someone else’s device should pass the girlfriend/grandma/grandpa test which is that they can get on with their cat browsing with their device breaking on them. The rest of this post will assume that the other person will not tolerate breakages.

Transparency

Any changes made to a device that you do not own should be done with absolute transparency. How much you disclose will depend on a variety of factors. For example, you probably do not disclose to your grandparents the kind of data that you’re potentially managing on their devices. Their priorities will lie closer towards security rather than privacy. Your partner, children or parents will almost certainly care that the websites they access will be viewable through tools like NextDNS (talked about later) despite them not caring when the ISP can do the same.

Configuration

Basic

Blocking individual apps from having internet access

Many apps on Google Play will make internet connections despite the core functionality having no real need to do so. For example, a sudoku app your partner downloaded arbitrarily from the wide selection available will connect to ad servers to find determine the ad that should be displayed in the moment. While this may not sound nefarious, these connections are an additional attack surface that can be exploited.

NetGuard is an app that takes over the single VPN slot to block internet access from apps that really shouldn’t have any reason to be connecting to the internet. It isn’t the only option that can achieve this but I like it because it has a simple user interface that can be understood non-techies.

Controlling trackers

The simplest change that can be done to control trackers is to change the DNS provider that is being used to something that blocks hosts that are known to be invasive. AdGuard DNS’ public DNS servers are probably the best for this. This change is somewhat risky and doesn’t quite pass the girlfriend test as the blocked hosts cannot be updated. In the (hopefully rare) occasion that a breakage occurs, you really don’t have much resolution aside from changing the DNS provider to something else.

NextDNS

An option that allows some level of control is NextDNS. NextDNS requires account registration which means someone will need to take responsibility. I personally prefer to have the other person own the account as the owner has access to DNS logs which can be a trustbreaker if not communicated properly. I will create the account with them and secure it in their password manager so that only they have access.

Once the registration process is complete, I like to configure the NextDNS profile according to the recommendations provided by yokoffing on GitHub along with the “HaGeZi - Multi LIGHT” blocklist which is considered to be a safe blocklist that causes very rare breakages. Depending on how willing or unwilling the other person is in trying to deal with any issues that arise, you might like to try the lighter or more aggressive HaGeZi blocklists. In the unlikely event that breakage does occur, the problematic host can be added to the profile’s Allowlist.

Note: NextDNS has both free and paid tiers. The free tier only allows for 300,000 DNS resolutions but that should be sufficient for most people.

Configuration

Under Setting ➔ Network and internet ➔ Private DNS, set the DNS-over-TLS value provided by AdGuard DNS or NextDNS.

Advanced

If your goal is to control both apps that have internet access and trackers built into them, we have to use a more advanced tool as none of the tools in the previous sections are sufficient on their own. To achieve both, we should look at the RethinkDNS app. The main reason why I consider this more advanced is that the app is more complex to a user that has little interest in the matter. Controlling app internet access is done in a slightly similar way to NetGuard which apps can be configured individually to have have internet access when on Wi-Fi or mobile data.

Tracker blocking is done through DNS. NextDNS can be used as a DNS provider which is how I prefer to configure the app. This can be done by opening the app then going to Configure ➔ DNS ➔ Other DNS ➔ + button then entering the DNS-over-HTTPS value provided by NextDNS. Alternatively, the Hagezi blocklists can be set through RethinkDNS-provided endpoints by configuring “RDNS Plus” but I personally prefer the level of control that NextDNS provides.

Alternatives

I have tried TrackerControl which is a fork of NetGuard with local ad and tracker blocking features. This has broken apps frequently to the frustration of the other person so I no longer use it.