It's possible, but far from easy to achieve. There are multiple approaches we can use to block (or at least try to block) incoming traffic.
But blocking one way traffic doesn't make sense in most cases. An app sending TCP packets but not receiving back responses will consider itself disconnected from internet. However, you may try for your particular case if it works.
Note: All of below discussed methods need root access.
UID BASED BLOCKING:
Android uses Linux kernel which has a builtin firewall netfilter
that can be used to filter network traffic. There is an iptables
module named owner
that filters traffic based on its UID / GID. Every app on Android is a UNIX user and has a unique UID.
But the problem is that owner
module is only valid for outgoing traffic i.e. the packets generated locally. IP packets coming from some other machine don't carry owner information with them. So the owner module applied to incoming traffic should fail or it should give a warning as explained here. To measure per-app incoming / outgoing network usage, Android patched kernel to include qtaguid
module. But iptables
wasn't patched to use the module from command-line. Also see related details in How to view network traffic requested by app?.
However owner
module works for some of the incoming TCP packets received back with TCP Flags, which may block incoming traffic fully or partially:
# iptables -I INPUT -m owner --uid-owner <APP_UID> -j DROP
* To remove the rule, replace -I
with -D
Probably the reason is that same TCP packets are returned back for Handshake and Bye but I'm not sure about that. However be ensured that it doesn't work for 100% TCP/UDP traffic. See escaped traffic:
# iptables -I INPUT -j LOG --log-uid --log-prefix 'INCOMING '
# dmesg -w | grep INCOMING | grep -vE 'IN=lo|=5353|=1900|ICMP' | grep -v UID=
Some firewall apps block outbound traffic using VPN on Android. VpnService API also makes use of UIDs
and SOcket_MARKs
to control traffic in routing table / RPDB, just before leaving the device.
PORT BASED BLOCKING:
More certain and complex ways of blocking incoming traffic rely on watching all the network sockets being created and deleted. A socket is a combination of IP address and port.
To get some basic idea of this approach, let's take example of Firefox app on my phone, with UID 10081:
# ss -4tuapne | awk '/uid:10081/ {
print $5,$1,$2,$7.$8
}
'
192.168.1.11:39910 tcp ESTAB users:(("mozilla.firefox",pid=22370,fd=163)) uid:10081
...
...
# iptables -I INPUT -p tcp --dport 39910 -j DROP
This will block all incoming traffic to port 39910 being used by Firefox app. But this approach is not practical because creation and deletion of sockets is taking place at such a high pace that even in native code some packets would be missed. And at the next moment the same port will be assigned to some other app's socket. This seems only possible if the local port is fixed, but for normal apps, random system selected available (TCP / UDP) port is being used for socket creation (can be controlled with ip_local_port_range).
You can find some more details View network traffic requested by app.
IP BASED BLOCKING:
This methods works best if you know the source IP address of packets. Find all servers your app is trying to connect on internet (e.g. by blocking app for outgoing traffic) and block them using iptables
source IP filtering, if they are not a hundred in number and they don't keep on changing frequently:
# iptables -I INPUT -p tcp -s <IP_ADDR> -j DROP