Guide
Block Apps From Using Mobile Data or Wi-Fi on Android (No Root)
Step-by-step: use an app internet blocker Android users trust to block apps from using mobile data or Wi-Fi, without rooting your phone.
Written by the Fulldive product engineering team, based on direct inspection of the repositories listed below.
If you want to block apps from using mobile data or block apps from using Wi-Fi on Android without rooting your phone, you need an app internet blocker Android supports. DataGuard No Root Firewall is Fulldive’s long-running tool for this. This guide walks through how to use a no-root firewall to stop specific apps from reaching the internet, why you might want to, and what the controls honestly do.
The steps are general to any VpnService-based no-root firewall, with DataGuard-specific notes where they matter.
Why block an app’s internet at all
Android’s system Settings give you some data controls — background data restrictions, “unrestricted data” exceptions, per-app Wi-Fi toggles on some OEM skins — but they are inconsistent across devices and Android versions. A firewall like DataGuard gives you one predictable place to set per-app rules that work the same way regardless of the manufacturer.
Common reasons users reach for this:
- A game or app keeps showing ads or pulling updates on mobile data you are paying per MB for.
- A utility app chats with analytics servers more than you want.
- A child’s tablet should only let a specific list of apps reach the internet.
- You want an app to work offline-only, because you do not trust its background traffic.
- You are on a metered hotspot.
The firewall does not remove the app or break its data features. It just refuses to forward its packets to the network when the rule says no.
How the no-root part works
Behind the scenes, DataGuard opens a local virtual network interface using Android’s VpnService class, and routes traffic through itself so it can filter by app. Nothing leaves your phone; the “VPN” is a local filter. The long explanation is in How no-root Android firewalls work. The short version: no root needed, one VPN slot used.
Step-by-step: block an app from using the internet
- Install DataGuard. Find DataGuard No Root Firewall from the Fulldive apps page and install it from the store listed there.
- Open the app. On first launch it will request notification permission (required on Android 13 and newer — see Android Developers — notification permission). Grant it so DataGuard can show the “firewall running” ongoing notification.
- Start the firewall. Tap the main toggle. Android shows a system dialog: “
is requesting permission to set up a VPN connection.” This is the VpnServiceprompt — it does not mean DataGuard is tunneling your traffic to a remote server. Tap OK. - Find the app you want to restrict. Scroll the installed-apps list. Each app row has two toggles: Wi-Fi and mobile data.
- Set the rule. Turn off Wi-Fi to block on Wi-Fi. Turn off mobile data to block on cell. Turn off both to block the app entirely. Leave system apps alone unless you know what they do.
- Test it. Open the blocked app. Any network action (loading a feed, sending a message, fetching an update) should fail or show an offline state. That is the firewall dropping the request.
That is the whole workflow. The rules persist across reboots as long as DataGuard stays enabled.
Common gotchas
- The VPN stops when another VPN starts. Android allows exactly one
VpnService-owning app at a time. If you start a tunneling VPN client or another VPN-style tool like Wize AdBlock VPN, DataGuard will be interrupted. See No-root firewall vs VPN on Android for the trade-off. - Some OEMs kill background apps aggressively. On phones with aggressive battery optimization (certain Chinese OEM skins especially), DataGuard may be stopped by the OS. Whitelist it from battery optimization so the firewall stays running.
- Cloud push notifications. Many apps get push via Google Play Services’ shared channel, which is a separate UID. Blocking an app’s internet does not always stop its push notifications, because the notification arrived through a channel that is still allowed.
- Tethering and metered networks. Blocking on Wi-Fi covers tethered Wi-Fi too. Some hotspots report as Wi-Fi, others as mobile depending on phone configuration.
- Network changes may cause a brief gap. DataGuard has specific code to rebuild the filter when the active network changes (commit
c5e9414b) and to handle the edge case where Android reports the active network as a VPN (commitba0e8c22). In practice transitions are fast, but on some devices there is a half-second window while the filter rebuilds.
Tips for picking which apps to block
A few patterns work well:
- Lock down “chatty” apps. Utilities that do not need the network for their main job (flashlight, calculator, simple note app) are safe to block entirely.
- Wi-Fi only for anything heavy. Video and game apps get Wi-Fi only. They can still update, just on a network you are not paying per MB for.
- Kill data on apps you do not trust but still use. Some apps need to be installed for work or account access but do not need ongoing network calls. Block both.
- Leave security and system apps alone. Play Services, the default messaging app, carrier apps for VoLTE — restricting these can break the phone’s basic functions.
What’s behind the “no-root firewall” lineage
DataGuard’s repository runs from October 2015 through 2026-01-23, with 3,936 commits. Fulldive-era commits visible in the history include 70133b44 (moved modules and added the donation popup) and 3f814a42 (bumped target SDK, version 1.0.6). The 2025 modernization touched SDK 35 prep (2821d5e0) and 16 KB library alignment (b2af3518, a platform requirement detailed at Android Developers — 16 KB page size). Commit cdc04c9f shipped the 2.334 release. The long maintenance story is in A decade of DataGuard Android firewall maintenance. The open-source NetGuard project pioneered the same VpnService-based no-root firewall approach that DataGuard and similar apps use.
Limits: what an Android firewall cannot do
This is important to state clearly, because overclaiming is common in this category:
- It does not scan for malware. If you installed a bad app, blocking its network access limits damage but does not remove the app.
- It does not give you a privacy VPN. No traffic leaves your phone to a remote server. Your IP address, DNS requests, and encrypted payloads continue to go to whichever server the allowed app contacts.
- It does not replace Android permissions. Camera, contacts, location, and storage permissions are controlled in system Settings.
- It does not guarantee zero ads. Ads that are already cached, or that the app serves from the same domain as its legitimate content, may still appear — this is the DNS ad blocking vs firewall distinction covered in DNS ad blocking vs VPN ad blocking on Android and What Wize AdBlock VPN can and cannot block.
A fuller honest list is in What Android firewalls can and cannot protect against.
Where to go next
- The model itself: How no-root Android firewalls work.
- Firewall vs VPN decisions: No-root firewall vs VPN on Android.
- The full Fulldive catalog: Fulldive apps.
- About Fulldive: About us and the Fulldive company story.
- Questions: FAQ or
support@fulldive.com.
Last updated: 2026-04-16. Commit hashes and version numbers are drawn from Fulldive repositories inspected on 2026-04-13.