1

I'm trying to stop Microsoft SwiftKey keyboard from connecting to the internet. Phone is Android 7, rooted. I have it blocked on AFWall+

But despite that, I can see through PCAPdroid (thanks to @Izzy for recommending this great app here) that it's still connecting to the internet and sending and receiving data.

Here are details of one of those connections. enter image description here

I'm not sure how it's able to do so since it's - supposedly - blocked on AFWall.

I was thinking maybe there are other components of the keyboard that are not part of the bundle of what's checked in AFWall? Maybe those other components are not showing up on AFWall (or are under differents names), and it's those components that are connecting to the internet? How can I stop this?

Thanks in advance!

JJrussel
  • 411
  • 4
  • 15
  • Additional context for other readers: continuation of How can I find out if my keyboard is connecting to the internet? – Andrew T. Mar 19 '22 at 17:08
  • And maybe you could add a screenshot with one of those entries in PCAPDroid opened to show the details? The logs might also be interesting. Background: the app will still try to open those connections, but AFWall+ should block them. But in such a case, there should be no data transferred – so it's those "5.4 KB" which irritate me. Of course you could in addition use e.g. AdAway and put snippetdata.api.swiftkey.com on its filter list – so the IP address could no longer be resolved (unless the app uses its own name server). – Izzy Mar 19 '22 at 18:44
  • Btw, this seems to be an old issue, having been voiced more than once. And putting the host name to your block list is a recommendation I saw quite a few times. Seems like several filter lists even include it already, going by the search results. – Izzy Mar 19 '22 at 18:52
  • @Izzy "And maybe you could add a screenshot with one of those entries in PCAPDroid opened to show the details?" Just did! Check out the OP. – JJrussel Mar 19 '22 at 19:47
  • The reason I suspected SwiftKey to begin with is because on several occasions I got very specific ads recommended to me when I know %100 that I have never searched them anywhere and the only place I've typed them is offline or on my notepad (which is also blocked on AFWall). Another thing is also the next predicted word would be of something that couldn't be in the pre-saved dictionary because it would be about something that is currently trending. – JJrussel Mar 19 '22 at 19:51
  • 1
    That's the expected behavior. VPN (PCAPdroid) is not the right tool to test the working of iptables (AFWall) because both operate at OSI layer 3. AFWall might not be blocking the traffic going to TUN (VPN) interface. And the traffic leaving the VPN is owned by PCAPdroid, not by Swift KB, so won't be blocked by AFWall. Possible solutions: 1) Enable "VPN control" in AFWall. 2) Do not use PCAPdroid but insert a iptables -j LOG ... rule at the end of OUTPUT chain in filter table (or POSTROUTING chain in nat table). 3) Intercept the traffic outside the device e.g. at your router. – Irfan Latif Mar 19 '22 at 23:11
  • @IrfanLatif Thanks Irfan. I'm afraid I'm going to need you to dumb this down a bit. I'm assuming this is what ure talking about on AFWall - - > https://i.imgur.com/W6jUOU4.jpg https://i.imgur.com/hOJLlur.jpg. Correct? As for #2, where do I add that rule? And for #3, what if I'm using mobile data? – JJrussel Mar 19 '22 at 23:31
  • Yes. 2) Read iptables. 3) Make testing with WiFi. Or go for option 1 or 2.
    • – Irfan Latif Mar 20 '22 at 15:13
  • 1
    @IrfanLatif in root mode, PCAPDroid doesn't use a VPN (I'm using the app myself). As OP is using AFWall+ the device must be rooted, hence PCAPDroid will have offered to run in root mode. My bad, I should have mentioned that. Next, AFWall+ operates via iptables as far as I know – so there's no VPN involved at all – unless the keyboard is using one. – Izzy Mar 20 '22 at 20:09
  • 1
    @Izzy great. To be honest I've never used PCAPDroid because I'd developed my own minimal solution when I wrote this answer. I wrongly assumed that OP used the app in VPN mode. And I think I made the assumption because I've seen similar questions earlier like this one. Whatever the case is, bypassing Linux kernel's UID based IP filtering is out of question. There must be some issue in OP's test setup. Since AFWall is iptables-based, troubleshooting it directly is the simpler approach, IMO – Irfan Latif Mar 20 '22 at 22:01