Android’s Design Leaks Some VPN Traffic Data, Google Calls It “Intended Behavior”
According to a security audit by Mullvad VPN, leaking a small amount of traffic data is inherent to Android’s design, something that third-party VPNs cannot prevent.
Android devices with a VPN purposefully leak some traffic, including IP addresses and DNS/HTTP(S) requests, when connecting to a wireless network. According to a security audit by Mullvad VPN, leaking a small amount of data is inherent to the mobile operating system, something that third-party VPNs cannot prevent or control.
The Europe-based VPN service provider said that enabling Always-on VPN and Block connections without VPN doesn’t help either. Mullvad VPN noted that the bug (Google argues it is a feature) is built into Android.
“We have looked into the feature request you have reported and would like to inform you that this is working as intended,” a Google engineer told Mullvad VPN on the search giant’s issue tracker page. “ We do not think such an option would be understandable by most users, so we don’t think there is a strong case for offering this.”
Let us see how VPNs on Android function.
When an Android device connects to a public network, it performs certain checks before successfully establishing a connection. To perform these checks, Mullvad VPN discovered that Android sends data outside the secure tunnel that shields users from the internet.
Block connections without VPN is an Android setting designed to prevent this, which may happen during connectivity checks. Split tunneling can also leak a part of the traffic over the underlying network, Google pointed out.
“We understand why the Android system wants to send this traffic by default. If for instance there is a captive portal [a webpage usually displayed after a device connects to a new public network] on the network, the connection will be unusable until the user has logged in to it,” Mullvad VPN wrote.
See More: Built-in iOS VPNs Leaking Traffic Data From Over Two Years Ago
“So most users will want the captive portal check to happen and allow them to display and use the portal. However, this can be a privacy concern for some users with certain threat models,” the company added.
Indeed, because the small amount of data that the OS leaks includes DNS lookups, HTTP(S) and possibly NTP traffic, and the user IP address (as metadata), precisely what users intend to shield by leveraging VPNs.
The problem goes deeper. VPNs on Android leak traffic data even on known networks where a captive portal is absent and a connectivity check is not required. This is why Mullvad VPN suggested Google to disable connectivity check by default and give users the option to perform it when they feel they should, which is similar to the functionality in the privacy and security-focused iteration of Android, GrapheneOS.
Additionally, Mullvad VPN pointed out that split tunneling is an opt-in feature that shouldn’t necessitate traffic data leaks, however small.
“The connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic. Even if the content of the message does not reveal anything more than ‘some Android device connected,’ the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as WiFi access point locations,” Mullvad VPN added.
The company also noted that the metadata being leaked would need to be de-anonymized, which requires a certain degree of sophistication on the part of the threat actor.
Google clarified that the data in question is anyway available through the L2 connection. “Even if you are fine with some traffic going outside the VPN tunnel, we think the name of the setting (‘Block connections without VPN’) and Android’s documentation around it is misleading,” Mullvad VPN said. “The impression a user gets is that no traffic will leave the phone except through the VPN.”
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON SECURITY AND PRIVACY
