Why global Android proxy is the wrong default for many users

On a desktop, you can spend hours tuning YAML and still recover quickly because the machine is yours and the network stack is relatively transparent. On a phone, the stakes feel different: payment apps, government-adjacent services, carrier portals, and domestic super-apps often assume you are physically in-region. When Clash (through the mihomo core inside Clash Meta for Android) pushes everything out through a remote node, those assumptions break. You see CAPTCHAs, OTP delays, map drift, or outright blocks that have nothing to do with “bad nodes” and everything to do with exit geography.

Per-app proxy is the practical compromise. Instead of asking the OS to treat Clash like a full-tunnel consumer VPN for every socket, you declare which applications are allowed to enter the tunnel—or, equivalently, which must be forced out of it. That mental model matches how people actually use proxies abroad: a handful of browsers and chat clients need the tunnel; the rest of the phone should behave like a normal local device. The feature is sometimes labeled access control, app filter, or split tunneling depending on the client skin, but the underlying idea is the same: attach policy at the application boundary before you even argue about domain rules.

This article is Android-specific. If you are comparing stacks, our desktop install guide for Clash Verge Rev covers a different UI surface; the YAML concepts still rhyme with what you will run on mobile, and the YAML routing walkthrough remains useful background for DNS and rule order once the tunnel is up.

Bypass list versus allowlist: pick one coherent mode

Most maintained Clash Android builds expose two opposing modes. Learning the vocabulary up front prevents the classic failure mode where you toggle buttons for twenty minutes while nothing matches your intent.

  • Bypass list (blacklist / exclude): the tunnel is broadly on, but selected apps are carved out to go direct. This is the usual choice when you want “everything proxied except my bank, my carrier app, and the local wallet.”
  • Allowlist (whitelist / include-only): only the apps you explicitly select use the tunnel; everything else is direct by default. This is the right default when you want “only these two browsers and this messenger use the proxy; nothing else should ever touch it.”

Neither mode replaces your subscription quality or your rule sets. They simply decide which Android UIDs are even eligible to be handled by the VPN service backing Clash. If you misunderstand the mode, you will misread symptoms: an allowlist that includes only one browser makes every other app look “broken” when what you actually configured was isolation on purpose.

Prerequisites you should not skip

Before touching per-app settings, line up the boring prerequisites. They are boring because skipping them produces the same support tickets over and over.

  1. Install a maintained client. We focus on Clash Meta for Android (CMFA) because it tracks the current mihomo feature set and exposes the controls this guide references. FlClash on Android is a reasonable alternative for readers who prefer its UI; the labels move slightly, but the split-tunnel idea is parallel. Grab builds from a source you trust—our download page lists common options and avoids the SEO trap of random repacked APK mirrors.
  2. Import a working profile. Confirm a node actually connects using the client’s built-in status indicators before you layer access control on top. If the base profile cannot establish a tunnel, per-app rules only rearrange a broken foundation.
  3. Accept VPN permissions. Android routes per-app decisions through the platform VPN service. You will see the standard key icon and permission prompts. Without that approval, Clash cannot attach UID-level routing in a way userspace proxies could on desktop.
  4. Know whether you are in TUN mode. Many Android Clash forks expect TUN (full-device capture) for reliable behavior, especially when apps ignore HTTP proxies. Per-app filtering still applies on top of that service, but the exact toggle names vary by release. If something feels inconsistent, verify you are not half-running an HTTP-only mode while expecting OS-wide capture.

For ecosystem questions—ARM64 versus universal APKs, unknown-sources install flow, subscription import quirks—start with the Android section of our Clash FAQ so this page can stay focused on routing semantics rather than OEM-specific settings screens.

Step-by-step: per-app proxy on Clash Meta for Android

The following sequence matches current CMFA layouts closely enough to survive minor UI reshuffles. If your build moved a panel, search settings for Access Control, App, or Per-App; vendors rarely rename the underlying concept.

  1. Open CMFA and start the service once. Bring up the main switch so the client establishes its VPN session. You want a green or connected state before editing exclusions, because some builds grey out app pickers until the service is live.
  2. Enter Access Control (or App filter). From the hamburger or gear menu, locate the section that lists installed packages. In many builds it sits under network-related settings rather than appearance.
  3. Choose your mode deliberately. If you need only a handful of apps on the proxy, pick allowlist and select those apps explicitly. If you need most traffic on the proxy but must carve out domestic banking and maps, pick bypass and tick the exclusions.
  4. Use search inside the app list. Android installs dozens of helper packages. Long-press or multi-select flows differ by version; searching by pinyin or English package label saves time on Chinese ROMs where display names sort unexpectedly.
  5. Include system components only when you understand the trade-off. Some builds expose toggles for system networking stacks or download managers. Enabling them can widen the blast radius; leaving them off can make certain browsers feel “split.” When in doubt, start minimal, test, then widen.
  6. Apply and restart the VPN session if prompted. Some releases hot-apply changes; others require toggling the main switch so the new UID map attaches cleanly.
  7. Re-verify after reboot. OEM power savers aggressively kill background VPN services. If access control “forgets” behavior, check battery optimization exclusions for CMFA before you assume the list corrupted.

Readers using FlClash should mirror the same decision tree: locate the per-application section, choose include-only versus exclude, then re-test. The Flutter UI may label groups differently, but you are still editing the same Android VPN builder underneath.

TUN, DNS, and why YAML still matters

Per-app routing answers “which apps enter the tunnel.” It does not magically fix DNS leakage or messy GEOIP ordering inside config.yaml. If domestic domains resolve through an overseas resolver because of how Fake-IP and fallback DNS interact, you can still observe strange behavior even when the app list looks perfect. That is not a reason to abandon access control; it is a reminder that mobile Clash is a stack, not a single toggle.

When you have time to tune seriously, revisit the DNS and rule sections in your profile so that domestic CDNs and captive portals resolve the way your geography expects. The YAML routing article walks through Fake-IP filters and rule precedence—knowledge that pays off on Android the same way it does on desktop, especially for mixed Chinese and international traffic.

How to verify behavior without guessing

Humans are bad at “feeling” whether an app is direct. Use lightweight checks that map to routing reality.

  • IP check inside the browser you care about. Open a what-is-my-ip page in each browser profile. If one browser is allowlisted and another is direct, the addresses should differ accordingly.
  • Use the client log panes. CMFA exposes connection logs for debugging. A domestic app that should bypass the tunnel should not generate endless overseas destinations when you scroll through recent flows during a short test window.
  • Test a domestic-only service deliberately. Pick an app that hard-fails on foreign exits. If it suddenly works after you add it to the bypass list, you have confirmation independent of IP websites.
  • Watch captive portals and Wi-Fi login pages. Full-tunnel habits break hotel and airport Wi-Fi sign-in flows. Temporarily widening bypass for the system browser—or pausing the service—is still a legitimate operational move, and per-app modes make that less painful than uninstalling profiles.

Remember that some applications use multiple processes or helper services. If one piece of a super-app is excluded but another is not, you can see half-working states. When that happens, widen the bypass entry to the parent package group or consult release notes for split APK quirks on your OEM.

Troubleshooting quick reference

Symptom Common cause What to try
Everything is direct even though Clash shows connected Allowlist mode with almost no apps selected; service not restarted after changes Re-read the mode; add at least one test browser; toggle VPN off and on
Domestic banking still sees a foreign exit Wrong package excluded; dual-app clone uses a different UID Exclude the clone or workspace instance; verify with logs
Browser proxied but WebView apps are not System WebView package not included in allowlist mode Include WebView or switch strategy to bypass-first for that workflow
Spikes in battery use after enabling TUN Aggressive reconnect loops; power saver killing VPN Exclude CMFA from battery optimization; inspect node health
DNS oddities despite correct app list Fake-IP or fallback DNS mismatch inside YAML Align DNS stanza with destinations; revisit YAML guide linked above

Operational habits that keep the setup stable

Treat your access-control list like infrastructure code. When you install a new banking app, decide up front whether it belongs in the bypass set. When you travel, reconsider allowlists: roaming carriers sometimes ship companion apps that expect local network access patterns. Snapshot your profile in version control if you maintain YAML by hand, and note which CMFA build you shipped to your device so upgrades do not surprise you with renamed toggles.

Finally, keep expectations aligned with platform reality. Android per-app routing is powerful, but it is not a substitute for careful rule writing, healthy nodes, and DNS design. The combination is what makes Clash Android feel boring in a good way: predictable splits, fewer mystery failures, and domestic services that stay domestic unless you explicitly ask otherwise.

Closing

Compared with turning on a single global switch and hoping your YAML forgives every app, per-app proxy on Clash Meta for Android returns control to where users actually make decisions: specific applications, tested deliberately, with bypass lists that respect local services. Pair that discipline with a maintained client build and a sane DNS story, and the phone stops feeling like it is always “on VPN” when you only needed a narrow slice of traffic to leave the country.

When you are ready to pick an up-to-date APK without hunting random mirrors, use our download page to choose a trusted Android build and start from a known baseline. → Download Clash for free and experience the difference.