Tweet
It has been discovered that Android devices are designed to leak some user data when connecting to a new Wi-Fi network, and even the best VPN services cannot stop it.
Mullvad VPN identified the quirk during a recent security audit, reporting that data leakage also occurs when the âBlock connections without VPN (or VPN lockdown)â and/or âAlways-on VPNâ options are enabled.
The data exposed during the connectivity check includes peopleâs real IP address, DNS lookups, HTTPS and NTP traffic.
However, the leak does not appear to be a malfunction. In response to questions from the provider, Google explained that both of the features work as intended.
Android leaks traffic when performing its connectivity check and neither VPN services nor you can prevent it, https://mullvad.net/blog/2022/10/10/android-leaks-connectivity-check-traffic/ October 10, 2022
See more
[HEADING=1]Android features deceiving VPN users [/HEADING]
A VPN is a tool that people use, among other things, to encrypt internet traffic while hiding their real IP location. This allows access to censored sites, avoids bandwidth throttling and secures online anonymity - the latter point being especially important on public Wi-Fi connections.
However, certain wireless networks (like hotel or public transport Wi-Fi, for example) might require a connectivity check before establishing the connection. And itâs exactly on these occasions that Android VPN services leak some traffic details, whether or not the option to block unprotected connections has been activated.
âWe understand why the Android system wants to send this traffic by default,â wrote Mullvad VPN in a blog post. âHowever, this can be a privacy concern for some users with certain threat models.â
Read more
> VPNs on iOS are âbrokenâ and Apple doesnât seem to be doing anything to fix it
Following Mullvadâs request for an additional option to disable these connectivity checks when the âVPN lockdownâ is on, Google developers explained that the leak is actually a design choice.
Specifically, the company claims that some VPN apps rely on these checks to properly function. The developers also said there are other exemptions that might be more risky, like those applied to some privileged applications. They also believe that the impact on usersâ privacy is minimal.
After taking into consideration the points raised by Google, Mullvad still thinks that its suggested additional feature could be beneficial for users. Most importantly, the provider is calling the big tech giant to at least be more transparent about its features.
âEven if you are fine with some traffic going outside the VPN tunnel, we think the name of the setting (âBlock connections without VPNâ) and Androidâs documentation around it is misleading. The impression a user gets is that no traffic will leave the phone except through the VPN.â
[HEADING=1]Whatâs at stake for Android users?[/HEADING]
According to Google, the privacy risks are basically non-existent for most people. However, Mullvad argues that the metadata exposed could be enough for experienced hackers to de-anonymize this information and track down users.
âThe connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic,â explained the secure VPN provider.
âEven if the content of the message does not reveal anything more than âsome Android device connected,â the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as Wi-Fi access point locations.â
This might not be relevant for everyday users, but it could negatively affect those for whom privacy is paramount. After all, itâs likely they have turned on the VPN lockdown feature exactly for this reason.
TechRadar Pro has contacted Google for further information, but did not receive an immediate response.
Continue readingâŚ
Mullvad VPN identified the quirk during a recent security audit, reporting that data leakage also occurs when the âBlock connections without VPN (or VPN lockdown)â and/or âAlways-on VPNâ options are enabled.
The data exposed during the connectivity check includes peopleâs real IP address, DNS lookups, HTTPS and NTP traffic.
However, the leak does not appear to be a malfunction. In response to questions from the provider, Google explained that both of the features work as intended.
Android leaks traffic when performing its connectivity check and neither VPN services nor you can prevent it, https://mullvad.net/blog/2022/10/10/android-leaks-connectivity-check-traffic/ October 10, 2022
See more
[HEADING=1]Android features deceiving VPN users [/HEADING]
A VPN is a tool that people use, among other things, to encrypt internet traffic while hiding their real IP location. This allows access to censored sites, avoids bandwidth throttling and secures online anonymity - the latter point being especially important on public Wi-Fi connections.
However, certain wireless networks (like hotel or public transport Wi-Fi, for example) might require a connectivity check before establishing the connection. And itâs exactly on these occasions that Android VPN services leak some traffic details, whether or not the option to block unprotected connections has been activated.
âWe understand why the Android system wants to send this traffic by default,â wrote Mullvad VPN in a blog post. âHowever, this can be a privacy concern for some users with certain threat models.â
Read more
> VPNs on iOS are âbrokenâ and Apple doesnât seem to be doing anything to fix it
How to protect your privacy on your Android phone
Our pick of the best Android VPN apps around right now
Specifically, the company claims that some VPN apps rely on these checks to properly function. The developers also said there are other exemptions that might be more risky, like those applied to some privileged applications. They also believe that the impact on usersâ privacy is minimal.
After taking into consideration the points raised by Google, Mullvad still thinks that its suggested additional feature could be beneficial for users. Most importantly, the provider is calling the big tech giant to at least be more transparent about its features.
âEven if you are fine with some traffic going outside the VPN tunnel, we think the name of the setting (âBlock connections without VPNâ) and Androidâs documentation around it is misleading. The impression a user gets is that no traffic will leave the phone except through the VPN.â
[HEADING=1]Whatâs at stake for Android users?[/HEADING]
According to Google, the privacy risks are basically non-existent for most people. However, Mullvad argues that the metadata exposed could be enough for experienced hackers to de-anonymize this information and track down users.
âThe connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic,â explained the secure VPN provider.
âEven if the content of the message does not reveal anything more than âsome Android device connected,â the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as Wi-Fi access point locations.â
This might not be relevant for everyday users, but it could negatively affect those for whom privacy is paramount. After all, itâs likely they have turned on the VPN lockdown feature exactly for this reason.
TechRadar Pro has contacted Google for further information, but did not receive an immediate response.
Continue readingâŚ