Android devices with VPN intentionally leak some traffic, including IP addresses and DNS/HTTP(S) requests, when connecting to a wireless network. According to a security audit by Mullvad VPN, the leakage of small amounts of data is inherent to the mobile operating system, which third-party VPNs cannot prevent or control.
The Europe-based VPN service provider says that activating VPN is always on and Block connections without VPN didn’t help either. Mullvad VPN notes that the bug (Google thinks it’s a feature) is built into Android.
“We have reviewed the feature request you reported and would like to inform you that the feature is working as intended,” a Google engineer told Mullvad VPN on the search giant network. issue tracking page. “We don’t think such an option would be understandable to most users, so we don’t think there’s a strong case for providing this.”
Let us see how VPN on Android works.
When an Android device connects to a public network, it performs certain checks before a successful connection is established. To perform these tests, Mullvad VPN detected that Android sends data outside of a secure tunnel that shields users from the Internet.
Block connections without VPN is an Android setting designed to prevent this, which can happen during connection testing. Google points out that tunneling can also leak some of the traffic through the underlying network.
“We understand why the Android system wants to send this traffic by default. For example, if there is a locked port [a webpage usually displayed after a device connects to a new public network] on the network, the connection becomes unusable until the user logs into it”, Mullvad VPN Written.
See more: Built-in iOS VPN leaks traffic data from over two years ago
“So most users will want to check for a locked port to happen and allow them to expose and use the port. However, this may be a privacy concern for some users with certain threat models,” the company added.
Indeed, because of the small amount of data the operating system leaks including DNS lookups, HTTP(S) and possibly NTP traffic, and the user’s IP address (as metadata), exactly is what the user intends to shield by leveraging the VPN.
The problem goes deeper. VPN on Android leaks traffic data even on known networks that don’t have fixed ports and don’t need to test the connection. This is why Mullvad VPN recommends that Google disable connection checking by default and give users the option to do it when they feel the need, similar to permission-focused repeat functionality Android privacy and security, GrapheneOS.
Additionally, Mullvad VPN points out that split tunneling is an opt-in feature that doesn’t necessarily leak traffic data, no matter how small.
“Connection test traffic can be observed and analyzed by the controller of the connection test server and any entity that observes the network traffic. Even if the content of the message doesn’t reveal anything other than ‘some Android devices connected’, the metadata (including the source IP) can be used to get more information, especially if associated with data such as WiFi hotspot location ” Added Mullvad VPN.
The company also notes that the leaked metadata will need to be de-anonymized, which requires a certain level of sophistication on the part of the threat actor.
Google has clarified that the data in question is still available through the L2 connection. “Even if you are fine with some traffic outside of the VPN tunnel, we consider the name of the setting (‘Block connections without VPN’) and Android’s documentation on it to be misleading,” Mullvad said. “The impression users get is that no traffic will ever leave the phone except through the VPN,” the VPN said.
Let us know if you enjoyed reading this news on LinkedIn, Twitteror Facebook. We look forward to hearing from you!
Image source: Shutterstock