What the App Does
The CleanBrowsing Android App automatically configures DNS filtering on your Android device. Instead of navigating through system settings manually, the app handles everything through a guided setup flow.
When you enable a filter, the app:
- Configures Android's Private DNS (DNS-over-TLS) to route DNS queries through CleanBrowsing's filtered resolvers
- Falls back to a local VPN tunnel with DNS-over-HTTPS (DoH) if Private DNS is blocked or unavailable on your network
- Locks down Accessibility and Device Admin settings to prevent users from bypassing the filter
- Blocks attempts to change Private DNS settings, disable the accessibility service, or remove device admin privileges
The app requires Android 9 (Pie) or later. It works on all major Android manufacturers including Samsung, Google Pixel, Xiaomi, OnePlus, Oppo, and Motorola.
Free and Paid Filters
The app supports both free and paid filtering options:
Free Filters
- Family Filter — Blocks adult content, pornography, mixed content sites, malware, and phishing. Forces Safe Search on Google, Bing, and YouTube. Best for families with children.
- Adult Filter — Blocks adult content and malware. Allows mixed-content sites like Reddit and social media.
Paid / Custom Filter
- Enter your activation code from the CleanBrowsing Dashboard to use your custom filter configuration
- Custom block/allow lists, category-based filtering, and per-device policies
- The activation code is securely stored using Android's encrypted storage (AES-256)
Automated Private DNS Configuration
The app uses Android's Accessibility Service to automatically configure the Private DNS setting. This is the same DNS-over-TLS (DoT) feature available in Settings > Network > Private DNS, but the app automates the entire process:
- Opens the system settings to the correct page
- Selects "Private DNS provider hostname"
- Enters the correct CleanBrowsing DNS hostname for your selected filter
- Saves the setting and returns to the app
This automation is why the app requires Accessibility Service permission. Without it, users would need to configure Private DNS manually through system settings.
The app also monitors the Private DNS setting and blocks unauthorized changes when the device is locked. If someone tries to change the Private DNS hostname or disable it, the app automatically cancels the change and shows a notification.
VPN Fallback (When Private DNS is Blocked)
Some networks block DNS-over-TLS (port 853), which prevents Private DNS from working. This is common on:
- Hotel and airport Wi-Fi networks
- Corporate networks with strict firewall rules
- School networks
- Some mobile carrier networks
When the app detects that Private DNS is unavailable, it automatically activates a local VPN tunnel that routes DNS queries through encrypted DNS-over-HTTPS (DoH). This uses Android's VPN API — the VPN runs locally on the device and only intercepts DNS traffic, not your browsing data.
The VPN fallback supports multiple DNS providers and transport protocols:
- DNS-over-HTTPS (DoH) — Sends DNS queries over standard HTTPS (port 443), which is almost never blocked
- DNS-over-TLS (DoT) — TLS-encrypted DNS with auto-negotiation to TLS 1.3 when available
- UDP and TCP — Standard DNS protocols as a last resort
The fallback is seamless — users see a VPN icon in the status bar but otherwise experience no difference in browsing. Filtering remains active regardless of the transport method.
Captive Portal Handling
A captive portal is the login page shown on hotel, airport, coffee shop, and campus Wi-Fi networks before you're granted internet access. These portals typically block all DNS traffic until you complete the sign-in.
The CleanBrowsing app handles captive portals automatically with two behaviors depending on whether DNS-over-HTTPS (DoH) can reach CleanBrowsing's servers:
- DoH reachable (most portals) — The app continues filtering normally via the VPN DoH fallback on port 443, which most captive portals don't block. The status screen turns orange and shows an Open Wi-Fi Login button so you can complete the portal login without losing DNS protection.
- DoH blocked (strict portals) — If the captive portal also blocks port 443, both DoT and DoH are unavailable. The app shows Filtering Paused on the status screen along with the login button. Filtering resumes automatically once you complete the login and the network is validated.
This behavior is smarter than simply pausing filtering as soon as a portal is detected. Because DoH uses port 443 (the same port as HTTPS), it typically passes through captive portals unblocked, meaning most hotel and airport networks don't interrupt filtering at all.
Filtering Mode
The app's Settings screen includes a Filtering Mode option that lets you choose how DNS filtering is enforced:
- Private DNS (default) — Uses Android's Private DNS (DoT) as the primary method, with automatic VPN fallback if the network blocks port 853. Lower battery use. Best for most users.
- VPN — Always routes DNS through the local VPN tunnel, regardless of whether Private DNS is available. Use this if Private DNS consistently fails on your network (for example, some mobile carrier networks that silently drop port 853 traffic). Slightly higher battery use.
In VPN mode, the DoT health check is disabled — the app stays on VPN without periodically re-testing Private DNS. Switching back to Private DNS mode re-enables the health check and evaluates whether VPN is still needed.
Tamper-Proof Settings
The app provides several layers of protection to prevent users from bypassing DNS filtering. To fully lock down a device, complete all four steps in the app's Settings page:
- Set a Password — Tap "Set Password" and create a PIN (minimum 4 characters). This PIN is required to change filters, disable the service, or reset the app. PINs are stored using SHA-256 hashing with a random salt — they cannot be recovered from the device.
- Enable Accessibility — Tap "Enable Accessibility" and grant the Accessibility Service permission. This allows the app to monitor and block attempts to change Private DNS settings or reset network settings.
- Enable Device Admin — Tap "Enable Admin" and grant Device Administrator permission. This prevents the app from being uninstalled through Android Settings > Apps > Uninstall.
- Lock the Device — Tap "Lock Device" to activate uninstall protection. This is the final step — without it, the other permissions can still be individually disabled by the user.
Important: Setting a password alone does not prevent uninstallation. You must complete all four steps above. The password protects in-app settings, but uninstall protection requires Accessibility + Device Admin + Lock Device to all be enabled. We also recommend pairing the app with Google Family Link for an additional layer of protection, as Family Link independently prevents app removal.
When fully locked, the app blocks attempts to:
- Uninstall the app (Device Admin blocks removal, and if attempted the screen locks)
- Disable the Accessibility Service
- Change the Private DNS hostname
- Disable Device Admin privileges
- Reset network settings
Security Features
The app implements several security measures to protect user data and prevent tampering:
- Encrypted Storage — Activation codes and premium DNS values are stored using Android's EncryptedSharedPreferences (AES-256-GCM encryption). Other apps and backup tools cannot read these values.
- Certificate Pinning — API calls to cleanbrowsing.org are pinned to specific Let's Encrypt certificate hashes, preventing man-in-the-middle attacks even on compromised networks.
- No Cleartext Traffic — All network communication is forced over HTTPS. Cleartext HTTP is blocked at the system level via Android's network security configuration.
- Hashed PINs — User PINs are hashed with SHA-256 and a per-device random salt before storage. The PIN is never stored in plaintext.
- Secure API Communication — API keys are transmitted via HTTP headers (not URL parameters) to prevent exposure in server logs and proxy caches.
- TLS 1.3 Support — DNS-over-TLS connections auto-negotiate to the highest available TLS version, including TLS 1.3 on supported devices.
Built-in Update Checker
The app includes an update checker that compares the installed version against the latest available version on CleanBrowsing's servers. The update check runs at most once per hour to avoid unnecessary network traffic.
When a new version is available, the app displays the version number and provides a link to download the update. The app also includes a log viewer in Settings that lets you view, copy, and share diagnostic logs for troubleshooting.
Download and Install
The app is available as a direct APK download:
- Download CleanBrowsing Android v9.1
- Open the downloaded file and tap Install
- If prompted, allow installation from your browser or file manager
- On Android 13+, you will need to allow restricted settings before the app can configure accessibility and device admin permissions
- Follow the in-app setup wizard to select your filter and configure permissions
For detailed step-by-step instructions, see our Android App Setup Guide.
For manual DNS configuration without the app, see Android Private DNS Setup or our Setup page.
System Requirements
- Android 9 (Pie) or later
- Approximately 7 MB installed size
- Works on all major Android manufacturers (Samsung, Google Pixel, Xiaomi, OnePlus, Oppo, Motorola, and others)
Download v9.1
