Is Android quietly undermining your VPN service?
It has been discovered that Android devices are designed to leak certain user data when they connect to a new Wi-Fi network, and even the best VPN services can’t stop it.
Mullvad VPN identified the quirk during a recent security audit and reported that data leaks also occur when the “Block connections without VPN (or VPN lockdown)” and/or “Always-on VPN” options are enabled.
The data exposed during the connection check includes people’s real IP address, DNS lookups, HTTPS and NTP traffic.
However, the leak does not appear to be a malfunction. In response to questions from the provider, Google explained that both features work as intended.
Android leaks traffic when running connection check and neither VPN services nor can you prevent it, https://t.co/FPhhqyYXiiOctober 10, 2022
Android Features That Mislead VPN Users
A VPN is a tool that people use, among other things, to encrypt internet traffic while hiding their real IP location. This allows access to censored sites, avoids bandwidth throttling and ensures online anonymity – the last point is especially important on public Wi-Fi connections.
Some wireless networks (such as Wi-Fi in the hotel or public transportation, for example) may require a connection check before establishing the connection. And it is precisely on these occasions that Android VPN services leak some traffic data whether or not the option to block unprotected connections is activated.
“We understand why the Android system wants to send this traffic by default,” Mullvad VPN wrote in a blog post (opens in new tab). “However, this could be a privacy issue for some users with certain threat models.”
Next Mullvad’s request (opens in new tab) for an additional option to disable these connectivity checks when the “VPN lock” is enabled, Google developers explained that the leak is actually a design choice.
In particular, the company claims that some VPN apps rely on these controls to function properly. The developers also said that there are other exceptions that could be more risky, such as those applied to some privileged applications. They also believe that the impact on user privacy is minimal.
After taking into account the points raised by Google, Mullvad still thinks that the proposed additional feature could be useful to users. Most importantly, the provider calls the big tech giant to… at least be more transparent about its characteristics.
“Even if you don’t mind some traffic going outside the VPN tunnel, we think the setting name (“Block connections without VPN”) and Android documentation (opens in new tab) around it is misleading. The impression a user gets is that no traffic leaves the phone except through the VPN.”
What’s at stake for Android users?
According to Google, the privacy risks for most people are basically non-existent. However, Mullvad argues that the exposed metadata may be enough for experienced hackers to de-anonymize this information and track down users.
“The connection control traffic can be observed and analyzed by the party that manages the connection control server and any entity that observes the network traffic,” explains the secure VPN provider.
Even if the content of the message reveals nothing more than ‘a connected Android device’, the metadata (including the source IP) can be used to infer more information, especially when combined with data such as Wi-Fi access point locations .”
This may not be relevant to everyday users, but it could have a negative effect on those for whom privacy is paramount. After all, it’s likely they’ve enabled the VPN lock feature precisely for this reason.
TechRadar Pro contacted Google for more information, but did not receive an immediate response.