Android devices with a VPN purposefully drop traffic, including IP addresses and DNS/HTTP(S) requests, when connecting to a wireless network. According to a security audit by Mullvad VPN, a small amount of data leakage is inherent to the mobile operating system, something that third-party VPNs cannot prevent or control.
The Europe-based VPN service provider said it will make it possible Always-on VPN and Block connections without a VPN doesn’t help either. Mullvad VPN found that the bug (Google argues it’s a feature) is built into Android.
“We’ve looked at the feature request you reported and would like to let you know that this is working as intended,” a Google engineer at Mullvad VPN told the search giant Issue tracker page. “We don’t think such an option would be understandable to most users, so we don’t think there’s a strong reason for offering this option.”
Let’s see how VPNs work on Android.
When an Android device connects to a public network, it performs certain checks before successfully connecting. To conduct these checks, Mullvad VPN discovered that Android was sending data outside of the secure tunnel that shields users from the internet.
Block connections without a VPN is an Android setting intended to prevent this, which can happen during the connection check. Split tunneling can also leak some traffic through the underlying network, Google pointed out.
“We understand why the Android system wants to send this traffic by default. For example, if there is a captive portal [a webpage usually displayed after a device connects to a new public network] on the network, the connection is unusable until the user logs in”, Mullvad VPN wrote.
See more: Built-in iOS VPNs that leak traffic data from over two years ago
“So most users want the captive portal audit to take place and allow them to view and use the portal. However, this may pose a privacy issue for some users with certain threat models,” the company added.
Since the small amount of data that the OS exposes includes DNS lookups, HTTP(S) and possibly NTP traffic, and user IP address (as metadata), which is exactly what users want to shield by using VPNs.
The problem goes deeper. VPNs on Android lose traffic even on known networks where there is no captive portal and connectivity testing is not required. That’s why Mullvad VPN suggested Google disable connectivity checking by default and give users the option to perform it if they deem it necessary, which is similar to the functionality found in the privacy- and security-centric iteration of Android, GrapheneOS.
In addition, Mullvad VPN pointed out that split tunneling is an opt-in feature that shouldn’t require any traffic leaks, no matter how small.
“Link check traffic can be observed and analyzed by the party controlling the link check server and any entity observing network traffic. Even if the message content reveals nothing more than “any connected Android device”, the metadata (including the source IP) can be used to derive more information, especially when combined with data such as WiFi access point locations .” Added Mullvad VPN.
The company also found that the leaked metadata would need to be de-anonymized, which requires a certain level of sophistication on the part of the attacker.
Google has clarified that the data in question is available over the L2 connection anyway. “While you’re ok with some traffic flowing outside the VPN tunnel, we think the setting name (‘Block connections without VPN’) and related Android documentation are misleading,” Mullvad VPN said. “The impression a user gets is that no traffic leaves the phone except through the VPN.”
Let us know if you enjoyed reading this news LinkedIn, Twitteror Facebook. We’d love to hear from you!
Image source: Shutterstock
MORE ABOUT SECURITY AND PRIVACY
#Androids #design #leaks #VPN #traffic #data #Google #calls #designed #behavior #spice #plants
Leave a Comment