People regularly rely on Virtual Private Networks (VPN) to hide their activities from nosy governments, circumvent geographically restricted and region-locked services, and increase security on untrusted Wi-Fi networks. But the big problem with piping your communications through a secure digital tunnel is that it's an all-or-nothing deal – web browsing, IM chats, and email are all going over the wire to the same place. That can become a really serious issue for people that use an employer's VPN for work. With Android 5.0 Lollipop, VPN clients can finally offer granular control over which apps communicate over a secured network, and which apps connect to the Internet directly.
The functionality is pretty straight-forward. By default, an established VPN connection sends all app communication over the private line. If even one app is specifically whitelisted for access, all other apps will automatically return to connecting to the Internet as though there were no VPN connection. Any number of apps can be added to the list. The API also supports the opposite approach, which is to blacklist apps from the VPN, leaving all remaining apps to communicate securely.
Selecting which apps communicate over a secured tunnel is done by the 3rd-party VPN client, rather than the Settings app. Unfortunately, this means that we'll have to wait for our favorite client apps to integrate support, but it also incentivizes developers to offer creative and intelligent interfaces. While most clients will probably stick to a straight-forward list of apps that can be toggled by the user, some may also offer interchangeable profiles or take advantage of things like traffic levels and app categories to offer better default recommendations. After all, most of us probably don't care about streaming Play Music and YouTube over a VPN.
Even though most VPN clients probably won't have support for restricted lists right away, there is already one available. A beta release of OpenVPN for Android just added per-app customization in the last week. Thanks go to Arne Schwabe, both for writing the app and tipping us about this new feature in Lollipop. If anybody wants to give it a try, be sure to join the community and sign up for the beta test. The beta is also sporting a freshly updated Material-inspired look.
For developers looking to implement the new functionality, it is accessed through the VpnService.Builder API. There are two methods which are used to either create a whitelist or a blacklist of apps: addAllowedApplication and addDisallowedApplication. Hit the documentation for further details.
Thanks, Arne Schwabe