In my company's MDM product we have a functionality to restrict URLs that Google Chrome can access. We use the Firewall class from the KNOX SDK to implement this functionality. Our implementation is similar to the example shown in the following documentation:

https://seap.samsung.com/api-references/android-standard/reference/com/s...(java.util.List%3Ccom.sec.enterprise.firewall.DomainFilterRule%3E)

Our deny rule is declared as follows

       // Deny list , domains to block
       List<String> denyList = new ArrayList<String>();
       denyList.add("*");

The allow rule enables only the company's domain, such as

       // Allow list, domains to allow
       List<String> allowList = new ArrayList<String>();
       allowList.add("*customerdomain.com");

I'm currently testing with a Galaxy Tab A (SM-P355M) with Android 7.1.1 and Knox 2.8, but the following misbehavior occurs in all Samsung devices with Android 7 and higher we have in our Lab.

When I'm using the stock version of Google Chome that comes with the device (60.0.3112.116) the functionality works like a charm. I receive a DNS_PROBE_FINISHED_NXDOMAIN error for blocked URLs.

But when I use the most recent version of Google Chrome from the Play Strore (at this date 71.0.3578.99) all the configuration is simply ignored, and Google Chrome has unrestricted access to any URL.

Somewhere between version 60 and 71 this functionallity stopped working. But how can Google Chrome app bypass a firewall rule?

Is this a bug on the SDK? Is there a workaround to avoid this problem? Any contributions on that?

Thanks

Jay Himanshu Jha
Jan 11, 2019
12:14 am

Hi Eduardo,

From version 66.0.3359.158 onwards, Chrome is using a Chromium DNS-resolution that bypasses the domain filter rules. Chrome can be forced to use system's DNS resolution by blocking Port 53 via Firewall rule API. See the NOTE section on this API: https://seap.samsung.com/api-references/android/reference/com/samsung/an...(com.samsung.android.knox.net.firewall.FirewallRule[])

 

Regards,
Jay