This change was when I stopped downloading from the Play store. Prior to that you could easily see that the compass or flashlight app you were going to install needed network access, something that set off alarm bells given the state of malware back then.
It was a bit of a pointless permission because literally every app requested it. The android permissions system very quickly fatigued users in to accepting everything. The new model is much better. Allow the user to actually deny the important permissions but just accept that network access is what apps do now.
No, not every application requested network access. And surely not a small number of users checked if a calculator or a sound recorder did, and, also checking the developers' justifications for including specific permissions, decided their (dis)trust.
I agree this is a better set of defaults, but there should be a toggle in the settings someplace, even deep in the developer mode settings, that gives users control over more granular permissions and allows them to choose which permissions to auto-grant and/or auto-deny.
Though I agree with you, why is this level of detail demanded of mobile apps but not of desktop apps? I would love to be able to sandbox desktop apps as well.
Since when network access is standard? Access to filesystem is not, use of hardware components but for display and speaker is not, internet access is not... Maybe you are referring to the exploitation of "intents" to exchange with networking enabled applications?
Network access requires no user approval. The only place you could find it before granting it to an app was via the permissions list in the play store.
An Android application requires "permissions" to do "anything past the basics"; permissions have to be declared in the "Manifest" file.
There are (simplifying) two main types of permissions: "normal"¹ and "dangerous, runtime"²; the former only need to be specified by the programmer in the Manifest; the latter also need direct confirmation from the user at a requester prompt.
This implies that "normal" permissions are granted by the user implicitly with the action of installing the application. Which means, that it is _quite important_ that the user sees the permissions list beforehand, before installation.
This is why having a firewall installed is essential in every android phone. Afwall+ does the job. My phones are all rooted but if I'm not mistaken it works on non rooted phones as well.
Nope, it requires root, as it should, really. Anything that can mess with networking at a low level needs root; there's no Android permission that I know of that lets you get down to iptables level.
There do exist "noroot" Android firewalls; I am not sure how they work (I think by somehow becoming interfaces - like "noroot" packet sniffers), but very probably not through `iptables`.
There are products on GitHub; I am looking at NetGuard (from, I think, Marcel Bokhorst aka M66B - the project has many forks). The .md says, «The only way to build a no-root firewall on Android is to use the Android VPN service».
