CleanBrowsing Android App

What the App Does

The CleanBrowsing Android App automatically configures DNS filtering on your Android device. Instead of navigating through system settings manually, the app handles everything through a guided setup flow.

When you enable a filter, the app:

• Configures Android's Private DNS (DNS-over-TLS) to route DNS queries through CleanBrowsing's filtered resolvers
• Supports a manual VPN Mode that routes DNS through an encrypted DoH tunnel if Private DNS is unavailable or blocked on your network — and auto-detects network blocks in Private DNS mode to activate VPN automatically
• Locks down Accessibility and Device Admin settings to prevent users from bypassing the filter
• Blocks attempts to change Private DNS settings, disable the accessibility service, or remove device admin privileges

The app requires Android 9 (Pie) or later. It works on all major Android manufacturers including Samsung, Google Pixel, Xiaomi, OnePlus, Oppo, and Motorola.

Free and Paid Plans

The app has two tiers. Free accounts can configure and use DNS filtering. Paid accounts unlock device hardening, tamper protection, and advanced transport options.

Free Filters

• Family Filter — Blocks adult content, pornography, mixed content sites, malware, and phishing. Forces Safe Search on Google, Bing, and YouTube. Best for families with children.
• Adult Filter — Blocks adult content and malware. Allows mixed-content sites like Reddit and social media.

Paid / Custom Filter

• Enter your activation code from the CleanBrowsing Dashboard to use your custom filter configuration
• Custom block/allow lists, category-based filtering, and per-device policies
• Activating your code also unlocks all paid features: VPN mode, device hardening, PIN protection, and tamper-proof settings
• The activation code is securely stored using Android's encrypted storage (AES-256)

Automated Private DNS Configuration

The app uses Android's Accessibility Service to automatically configure the Private DNS setting. This is the same DNS-over-TLS (DoT) feature available in Settings > Network > Private DNS, but the app automates the entire process:

• Opens the system settings to the correct page
• Selects "Private DNS provider hostname"
• Enters the correct CleanBrowsing DNS hostname for your selected filter
• Saves the setting and returns to the app

This automation is why the app requires Accessibility Service permission. Without it, users would need to configure Private DNS manually through system settings.

The app also monitors the Private DNS setting and blocks unauthorized changes when the device is locked. If someone tries to change the Private DNS hostname or disable it, the app automatically cancels the change and shows a notification.

Auto VPN Fallback Paid

Some networks block DNS-over-TLS (port 853), which prevents Private DNS from working. This is common on:

• Hotel and airport Wi-Fi networks
• Corporate networks with strict firewall rules
• School networks
• Some mobile carrier networks

Paid accounts can activate a local VPN tunnel that routes DNS queries through encrypted DNS-over-HTTPS (DoH) when port 853 is blocked. This uses Android's VPN API — the VPN runs locally on the device and only intercepts DNS traffic, not your browsing data.

The VPN fallback supports multiple DNS providers and transport protocols:

• DNS-over-HTTPS (DoH) — Sends DNS queries over standard HTTPS (port 443), which is almost never blocked
• DNS-over-TLS (DoT) — TLS-encrypted DNS with auto-negotiation to TLS 1.3 when available

If your network consistently blocks port 853, you can switch to VPN Mode permanently from the app's Settings screen. In VPN Mode, the app always routes DNS through the DoH tunnel without waiting for a failure. See Filtering Mode Guide for how to switch.

Requires a paid plan. Free accounts use DNS-over-TLS via Private DNS only.

Captive Portal Handling Paid

A captive portal is the login page shown on hotel, airport, coffee shop, and campus Wi-Fi networks before you're granted internet access. These portals typically block all DNS traffic until you complete the sign-in.

Paid accounts get automatic captive portal handling with two behaviors depending on whether DNS-over-HTTPS (DoH) can reach CleanBrowsing's servers:

• DoH reachable (most portals) — The app continues filtering normally via the VPN DoH fallback on port 443, which most captive portals don't block. The status screen turns orange and shows an Open Wi-Fi Login button so you can complete the portal login without losing DNS protection.
• DoH blocked (strict portals) — If the captive portal also blocks port 443, both DoT and DoH are unavailable. The app shows Filtering Paused on the status screen along with the login button. Filtering resumes automatically once you complete the login and the network is validated.

Because DoH uses port 443 (the same port as HTTPS), it typically passes through captive portals unblocked — meaning most hotel and airport networks don't interrupt filtering at all. Requires a paid plan.

Filtering Mode

Free accounts use Private DNS (DoT) only. Paid accounts can switch to VPN Mode from the Mode button in Settings.

Your filter profile carries over automatically when switching modes — you will not need to re-enter your activation code after a mode switch.

Filtering Mode Guide →

Tamper-Proof Settings Paid

Paid accounts can fully lock down a device to prevent users from bypassing DNS filtering. All four steps below require an active paid account. Complete them in order from the app's Settings page:

1. Set a Password — Create a PIN (minimum 4 characters). Required to change filters, disable the service, or reset the app. PINs are stored using PBKDF2-SHA256 with 100,000 iterations and a unique random salt — they are never stored in plaintext and cannot be recovered.
2. Enable Accessibility — Grant the Accessibility Service permission. This allows the app to monitor and automatically block any attempt to change the Private DNS hostname or reset network settings.
3. Enable Device Admin — Grant Device Administrator permission. This prevents the app from being uninstalled through Android Settings > Apps > Uninstall.
4. Lock the Device — Activates full uninstall protection. Without this final step, the other permissions can still be disabled individually.

When fully locked, the app blocks attempts to:

• Uninstall the app (Device Admin blocks removal; if attempted, the screen locks)
• Disable the Accessibility Service
• Change the Private DNS hostname
• Disable Device Admin privileges
• Reset network settings

Security Features

The app implements several security measures to protect user data and prevent tampering:

• Encrypted Storage — Activation codes and premium DNS values are stored using Android's EncryptedSharedPreferences (AES-256-GCM encryption). Other apps and backup tools cannot read these values.
• TLS Certificate Validation — All connections to CleanBrowsing servers are verified against the Android system certificate store. Cleartext HTTP is blocked at the network security configuration level.
• No Cleartext Traffic — All network communication is forced over HTTPS. Cleartext HTTP is blocked at the system level via Android's network security configuration.
• Hashed PINs — User PINs are hashed using PBKDF2-SHA256 with 100,000 iterations and a per-device random salt. The PIN is never stored in plaintext. After 5 consecutive incorrect attempts, entry is locked out for 30 seconds.
• Secure API Communication — API keys are transmitted via HTTP headers (not URL parameters) to prevent exposure in server logs and proxy caches.
• TLS 1.3 Support — DNS-over-TLS connections auto-negotiate to the highest available TLS version, including TLS 1.3 on supported devices.

Built-in Network Diagnostics

The app includes a full network diagnostics tool that tests every layer of your DNS filtering setup and reports the results in a structured report. You can access it from the Settings screen or via the Diagnostics button on the status screen.

The diagnostic tool runs the following tests automatically:

• Filtering mode — Shows whether the app is in Private DNS or VPN mode, and whether the VPN tunnel is currently active
• Account lookup — Verifies your activation code resolves to a valid DoT hostname
• HTTP connectivity — Tests reachability of CleanBrowsing servers over HTTPS
• DoT connectivity — Tests TCP connection, TLS handshake, and a live DNS query against each CleanBrowsing resolver IP on port 853
• DNS blocking over DoT — Confirms your filter is actively blocking domains via DNS-over-TLS
• Edge location — Identifies which CleanBrowsing datacenter is serving your DNS requests via both DoT and DoH
• DoH tests — Tests DNS-over-HTTPS on both the family filter and your custom account filter, including block detection
• Plain DNS UDP — Tests port 53 UDP resolution and blocking as a baseline comparison
• Network path — Ping tests to resolver IPs to measure latency

When the test completes, tap the Copy button to copy the full report to your clipboard and paste it into a support ticket. The report includes your app version, device model, Android version, network type, and all test results — giving our support team everything needed to diagnose connectivity or filtering issues without back-and-forth. The report also shows the current filtering mode (Private DNS or VPN) so our support team can immediately see which transport is in use.

Read the full diagnostics guide for a breakdown of every section in the report and what each result means.

Built-in Update Checker

The app includes an update checker that compares the installed version against the latest available version on CleanBrowsing's servers. The update check runs at most once per hour to avoid unnecessary network traffic.

When a new version is available, the app displays the version number and provides a link to download the update. The app also includes a log viewer in Settings that lets you view, copy, and share diagnostic logs for troubleshooting.

Block Page Certificate

When CleanBrowsing blocks a domain, it returns a block page. For that page to display correctly in a browser — rather than showing a connection error or certificate warning — the CleanBrowsing Block Page CA certificate must be trusted on the device.

Tap Certificate in the Settings screen to install it:

1. Tap Certificate — the app downloads CleanBrowsing-BlockPage-CA.crt and saves it to your Downloads folder
2. A dialog appears with step-by-step instructions
3. Tap Open Security Settings to go directly to the certificate installer, or Try Direct Install to launch the installer immediately
4. Select CA certificate, confirm with your device PIN or password, and tap Install anyway on the privacy notice

Manual path if needed: Settings → Security and Privacy → Other Security Settings → Install from device storage → CA certificate.

Download and Install

The app is available as a direct APK download:

1. Download CleanBrowsing Android v9.19
2. Open the downloaded file and tap Install
3. If prompted, allow installation from your browser or file manager
4. On Android 13+, you will need to allow restricted settings before the app can configure accessibility and device admin permissions
5. Follow the in-app setup wizard to select your filter and configure permissions

For detailed step-by-step instructions, see our Android App Setup Guide.

For manual DNS configuration without the app, see Android Private DNS Setup or our Setup page.

System Requirements

• Android 9 (Pie) or later
• Approximately 7 MB installed size
• Works on all major Android manufacturers (Samsung, Google Pixel, Xiaomi, OnePlus, Oppo, Motorola, and others)