CleanBrowsing Android App

What the App Does

The CleanBrowsing Android App automatically configures DNS filtering on your Android device. Instead of navigating through system settings manually, the app handles everything through a guided setup flow.

When you enable a filter, the app:

• Configures Android's Private DNS (DNS-over-TLS) to route DNS queries through CleanBrowsing's filtered resolvers
• Falls back to a local VPN tunnel with DNS-over-HTTPS (DoH) if Private DNS is blocked or unavailable on your network
• Locks down Accessibility and Device Admin settings to prevent users from bypassing the filter
• Blocks attempts to change Private DNS settings, disable the accessibility service, or remove device admin privileges

The app requires Android 9 (Pie) or later. It works on all major Android manufacturers including Samsung, Google Pixel, Xiaomi, OnePlus, Oppo, and Motorola.

Free and Paid Filters

The app supports both free and paid filtering options:

Free Filters

• Family Filter — Blocks adult content, pornography, mixed content sites, malware, and phishing. Forces Safe Search on Google, Bing, and YouTube. Best for families with children.
• Adult Filter — Blocks adult content and malware. Allows mixed-content sites like Reddit and social media.

Paid / Custom Filter

• Enter your activation code from the CleanBrowsing Dashboard to use your custom filter configuration
• Custom block/allow lists, category-based filtering, and per-device policies
• The activation code is securely stored using Android's encrypted storage (AES-256)

Automated Private DNS Configuration

The app uses Android's Accessibility Service to automatically configure the Private DNS setting. This is the same DNS-over-TLS (DoT) feature available in Settings > Network > Private DNS, but the app automates the entire process:

• Opens the system settings to the correct page
• Selects "Private DNS provider hostname"
• Enters the correct CleanBrowsing DNS hostname for your selected filter
• Saves the setting and returns to the app

This automation is why the app requires Accessibility Service permission. Without it, users would need to configure Private DNS manually through system settings.

The app also monitors the Private DNS setting and blocks unauthorized changes when the device is locked. If someone tries to change the Private DNS hostname or disable it, the app automatically cancels the change and shows a notification.

VPN Fallback (When Private DNS is Blocked)

Some networks block DNS-over-TLS (port 853), which prevents Private DNS from working. This is common on:

• Hotel and airport Wi-Fi networks
• Corporate networks with strict firewall rules
• School networks
• Some mobile carrier networks

When the app detects that Private DNS is unavailable, it automatically activates a local VPN tunnel that routes DNS queries through encrypted DNS-over-HTTPS (DoH). This uses Android's VPN API — the VPN runs locally on the device and only intercepts DNS traffic, not your browsing data.

The VPN fallback supports multiple DNS providers and transport protocols:

• DNS-over-HTTPS (DoH) — Sends DNS queries over standard HTTPS (port 443), which is almost never blocked
• DNS-over-TLS (DoT) — TLS-encrypted DNS with auto-negotiation to TLS 1.3 when available
• UDP and TCP — Standard DNS protocols as a last resort

The fallback is seamless — users see a VPN icon in the status bar but otherwise experience no difference in browsing. Filtering remains active regardless of the transport method.

Tamper-Proof Settings

The app provides several layers of protection to prevent users from bypassing DNS filtering:

• Password Protection — Set a PIN code (minimum 4 characters) to lock the app. The PIN is required to change filters, disable the service, or reset the app. PINs are stored using SHA-256 hashing with a random salt — they cannot be recovered from the device.
• Device Admin Protection — When enabled, the app cannot be uninstalled through normal means (Settings > Apps > Uninstall). The user must first disable Device Admin, which the app blocks when locked.
• Accessibility Monitoring — The app monitors for attempts to disable the accessibility service, change Private DNS settings, or reset network settings. All of these actions are blocked when the device is locked.

These protections work together to make it very difficult for children or unauthorized users to disable DNS filtering without the PIN.

Security Features

The app implements several security measures to protect user data and prevent tampering:

• Encrypted Storage — Activation codes and premium DNS values are stored using Android's EncryptedSharedPreferences (AES-256-GCM encryption). Other apps and backup tools cannot read these values.
• Certificate Pinning — API calls to cleanbrowsing.org are pinned to specific Let's Encrypt certificate hashes, preventing man-in-the-middle attacks even on compromised networks.
• No Cleartext Traffic — All network communication is forced over HTTPS. Cleartext HTTP is blocked at the system level via Android's network security configuration.
• Hashed PINs — User PINs are hashed with SHA-256 and a per-device random salt before storage. The PIN is never stored in plaintext.
• Secure API Communication — API keys are transmitted via HTTP headers (not URL parameters) to prevent exposure in server logs and proxy caches.
• TLS 1.3 Support — DNS-over-TLS connections auto-negotiate to the highest available TLS version, including TLS 1.3 on supported devices.

Built-in Update Checker

The app includes an update checker that compares the installed version against the latest available version on CleanBrowsing's servers. The update check runs at most once per hour to avoid unnecessary network traffic.

When a new version is available, the app displays the version number and provides a link to download the update. The app also includes a log viewer in Settings that lets you view, copy, and share diagnostic logs for troubleshooting.

Download and Install

The app is available as a direct APK download:

1. Download CleanBrowsing Android v8.0
2. Open the downloaded file and tap Install
3. If prompted, allow installation from your browser or file manager
4. On Android 13+, you will need to allow restricted settings before the app can configure accessibility and device admin permissions
5. Follow the in-app setup wizard to select your filter and configure permissions

For detailed step-by-step instructions, see our Android App Setup Guide.

For manual DNS configuration without the app, see Android Private DNS Setup or our Setup page.

System Requirements

• Android 9 (Pie) or later
• Approximately 7 MB installed size
• Works on all major Android manufacturers (Samsung, Google Pixel, Xiaomi, OnePlus, Oppo, Motorola, and others)