Android - Any security difference between root based firewall (AFWall+) and non-root based ones (NetGuard)?

As the author of NetGuard I have first hand experience in this field.

A disadvantage of a firewall based on a local VPN is that not all traffic types can be handled, because the (Android) Linux kernel does not allow forwarding all traffic types over a socket based connection. An example is IPsec, which is being used for IP calling by some manufacturers. A partial (not for IPsec) solution to this would be to use a remote VPN server to forward traffic, but this is privacy wise not acceptable for a lot of people and would come with additional complexity and probably also with extra battery usage. In practice handling TCP and UDP traffic appears to be sufficient for 99,9% of the NetGuard users. Since Android 5 it is possible to exclude applications from being routed into the VPN (the VPN implementing application decides if this is mandatory or optional), which can be used to address problems arising from not being able to forward all traffic. Another option is to exclude address (ranges), which NetGuard uses to 'fix' IP calling for some manufacturers.

Another disadvantage is that forwarding traffic will increase battery usage on mobile devices, because it involves some processing, because packets needs to be inspected and to be forwarded. Using iptables, which is integrated in the Linux kernel, is more efficient as thus more battery friendly.

In general it has appeared that Android routes all traffic into the VPN, even traffic of system applications and components, but a manufacturer could decide to exclude certain traffic types, reducing the security that can be achieved by a VPN based firewall.

NetGuard does not analyze the data itself, except for DNS requests to provide ad blocking, but if it would it could raise a privacy concern. Nevertheless, technically seen this is an advantage of a VPN based firewall (if you still want to call it that way), because it would allow state-full inspection of data streams beyond what is possible with iptables. This would likely be at the costs of battery usage, because of the processing involved. Note that it would require a local MiT attack to inspect SSL streams.

Yet another disadvantage is that Android doesn't allow chaining of VPN's, so using a local VPN to implement a firewall will prevent using of a real VPN service, unless the firewall provides such a service itself or alternatively a forwarding or proxy mechanism to another VPN application.

Lastly, a VPN based firewall depends on the application providing the firewall VPN service to be running. This seems to be trivial, but it is not, because some manufacturer Android versions/variants are too aggressively killing processes in low memory conditions (IMHO it is a bug if Android kills applications providing a VPN service).

Finally, rooting of Android devices is becoming increasingly difficult, leaving a VPN based firewall as the only choice for many people. I don't expect Google to add a system based firewall anytime soon, because it could affect their ad revenue significantly. iOS does have a system based firewall.

Let me know if there are any questions and I will try to answer them.

To my knowledge, it's the approach:

Root based firewalls use IPFilter / iptables to control the flow. This automatically applies to all apps, whether there's a network connection available at all or not, whether the routing is working completely or not at all, or whether you're in a "closed environment" (Intranet) without access to the "outer world" (Internet). Apps you've got blocked are blocked. On a pretty low level.

Non-root firewalls do not have access to that low level, so they must use work-arounds. In most cases this is done using Android's VPN facilities. Depending on implementation, this either works completely on-device (i.e. again regardless of what network connection might be available), or via "external services" (connecting you to the app provider's VPN). In the latter case, things break as soon as that service stops being available – a fact you might notice or not. In either case, I'm not sure if really all apps honor the VPN or if there are ways around.1 Another nasty fact with VPNs I've read about is the annoying permanent notification coming along, saying "Your network might be monitored" – but AFAIK that should only turn up if the app in question needs its own certificate installed.2

Verdict: I'd personally trust a root-based solution more. But where rooting is not an option, non-root solutions should be almost as good. In that case, my recommendation would go towards open-source solutions like NetGuard (its developer also made Xprivacy and is well trusted). Speaking of which: For further details, take a look at the XDA introduction of NetGuard, which explains the background with some more details.

1 I'm not familiar with the technical details behind Android's VPN implementation, but quoting WhiteWinterWolf (see below comment), it's up to Android base system to enforce this, there is no reason to think this is not done properly.

2 Again quoting WhiteWinterWolf: the VPN API used by NetGuard allows all data to be intercepted by an unprivileged application, this is what Android effectively consider as "monitoring", it has no relation with any certificate and this warning is an unavoidable and expected consequence of using this API.

  1. Aside from the general consensus that actual security is out the window for rooted devices and of course depends on the user, AFWall+ offers a kernel level approach to filtering traffic while NetGuard uses encryption. I think the ability to run as Android administrator with without the need to stay in the foreground is important...
  2. AFWall+ optionally uses system level startup script preventing data leakage during boot time (and shutdown too, I believe)
  3. If used, it also has a built-in tasker plug-in that offers the ability to auto-switch profiles when a connectivity change is detected ( I really like this one)
  4. Linux based iptables as opposed to VPN method used by Netguard
  5. I don't see any options to password protect the app's settings in Netguard, but I've also never used this feature in AFWall+, so...

I do think an important feature to note about Netguard would be the ability to filter specific addresses on a per app basis. This is a paid option.

I can't say certificate based VPN vs iptables. That would likely depend on your kernel and android version for iptables and for NetGuard, the algorithms used to encrypt the data, whether it is being logged and where it is stored. My answer may not be as technical as what you were looking for and as long time user of AFWall+ (donate version), I'm definitely biased towards it. However, I do know that the developer of NetGuard also actively maintains XPrivacy, a very well known/trusted and robust Android privacy manager. AFWall+ hasn't been abandoned at all but definitely hasn't received an update as recently as NetGuard has. They both employ different methods of maintaining control of traffic but ultimately, I think it mostly depends on the user how secure any part of their device is.