Android leaks some traffic even when 'Always-on VPN' is enabled

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Mullvad VPN has discovered that Android leaks traffic every time the device connects to a WiFi network, even if the "Block connections without VPN," or "Always-on VPN," features is enabled.

The data being leaked outside VPN tunnels includes source IP addresses, DNS lookups, HTTPS traffic, and likely also NTP traffic.

This behavior is built into the Android operating system and is a design choice. However, Android users likely didn't know this until now due to the inaccurate description of the "VPN Lockdown" features in Android's documentation.

Mullvad discovered the issue during a security audit that hasn't been published yet, issuing a warning yesterday to raise awareness on the matter and apply additional pressure on Google.

VPNs on Android


VPNs (virtual private networks) are protected network connections that encrypt internet traffic over public networks. When connected to a VPN, all your Internet connections will use the IP address of your VPN service rather than your public IP address.

This allows users to bypass censorship and throttling, and maintain privacy and anonymity while browsing the web, as the remote hosts will never see your actual IP address.

Android offers a setting under "Network & Internet" to block network connections unless you're using a VPN. This feature is designed to prevent accidental leaks of the user's actual IP address if the VPN connection is interrupted or drops suddenly.

Unfortunately, this feature is undercut by the need to accommodate special cases like identifying captive portals (like hotel WiFi) that must be checked before the user can log in or when using split-tunnel features.

This is why Android is configured to leak some data upon connecting to a new WiFi network, regardless of whether you enabled the "Block connections without VPN" setting.

Mullvad reported the issue to Google, requesting the addition of an option to disable connectivity checks.

"This is a feature request for adding the option to disable connectivity checks while "Block connections without VPN" (from now on lockdown) is enabled for a VPN app," explains Mullvad in a feature request on Google's Issue Tracker.

"This option should be added as the current VPN lockdown behavior is to leaks connectivity check traffic (see this issue for incorrect documentation) which is not expected and might impact user privacy."

Unfortunately, a Google engineer responded that this is intended functionality for Android and that it would not be fixed for the following reasons:
  • Many VPNs actually rely on the results of these connectivity checks to function,
  • The checks are neither the only nor the riskiest exemptions from VPN connections,
  • The privacy impact is minimal, if not insignificant, because the leaked information is already available from the L2 connection.
Mullvad countered these points and highlighted the significant benefits of adding the option, even if not all issues will be addressed, and the case remains open.
 

TedCruz

Level 5
Aug 19, 2022
176

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
And it is (sort of) the same on iOS:
 

TedCruz

Level 5
Aug 19, 2022
176
And it is (sort of) the same on iOS:
Let the conspiracy theories commence! :)

The VPN hole is there just in case you want to use Google Maps or any mapping software when running a VPN. The mapping software must fool your OS into thinking that the world is round as per the GUI layout of the map, but in reality the world is flat! This hole allows the mapping software to communicate with the central server in order to account for the supposed curvature of the world in real time. That's my story, and I am sticking to it.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
From what I have read, the ways to avoid data leak and be sure of privacy is not to bypass the VPN

1) Do NOT use split-tunnelling
2) Do NOT make exemptions to VPN

and to be 100% sure then use a portable VPN device like the InvizBox Go....................if you can accept a slower speed

And if the VPN cannot totally cut off all connections before diverting the traffic through it, then there'll be data leak. Using an external portable VPN, as mentioned, will help avoid the data leak
 
Last edited:

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
No, it's a bug. Wait it's a feature! Google and Apple march to the same tune when it comes to privacy. Why bother defeating and breaking encryption when Android and iOS leak so much information through the OS and even when using so called secure vpn's that are meant to secure your connection, and why bother defeating and breaking encryption when Android and iOS have so many security holes you can just hack the handset.
 
Last edited:

Vasudev

Level 33
Verified
Nov 8, 2014
2,224
I'm using Split VPN tunnel for carrier services, adaptive connectivity services, disney+, prime, netflix etc since Disney, Prime and netflix were not working with VPN, it was asking to pay again.
 
  • Like
Reactions: Stopspying

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top