Android devices with a VPN purposefully drop traffic, including IP addresses and DNS/HTTP(S) requests, when connecting to a wireless network. According to a security audit by Mullvad VPN, a small amount of data leakage is inherent to the mobile operating system, something that third-party VPNs cannot prevent or control.
The Europe-based VPN service provider said enabling always-on VPN and blocking connections without a VPN doesn’t help either. Mullvad VPN found that the bug (Google argues it’s a feature) is built into Android.
“We’ve reviewed the feature request you reported and would like to let you know that this is working as intended,” a Google engineer told Mullvad VPN on the search giant’s issue tracker page. “We don’t think such an option would be understandable to most users, so we don’t think there’s a strong reason for offering this option.”
Let’s see how VPNs work on Android.
When an Android device connects to a public network, it performs certain checks before successfully connecting. To conduct these checks, Mullvad VPN discovered that Android was sending data outside of the secure tunnel that shields users from the internet.
Block connections without VPN is an Android setting designed to prevent this, which can happen during connection checks. Split tunneling can also leak some traffic through the underlying network, Google pointed out.
“We understand why the Android system wants to send this traffic by default. For example, if there is a captive portal [a webpage that normally appears after a device connects to a new public network] on the network, the connection is useless until the user logs in there,” Mullvad VPN wrote.
See more: Built-in iOS VPNs that leak traffic data from over two years ago
“So most users want the captive portal audit to take place and allow them to view and use the portal. However, this may pose a privacy issue for some users with certain threat models,” the company added.
Since the small amount of data that the OS exposes includes DNS lookups, HTTP(S) and possibly NTP traffic, and user IP address (as metadata), which is exactly what users want to shield by using VPNs.
The problem goes deeper. VPNs on Android lose traffic even on known networks where there is no captive portal and connectivity testing is not required. For this reason, Mullvad VPN has suggested to Google that it disable connection checking by default and give users the option to perform it if they deem it necessary, which is similar to the functionality in the privacy and security-focused iteration of Android, GrapheneOS.
In addition, Mullvad VPN pointed out that split tunneling is an opt-in feature that shouldn’t require any traffic leaks, no matter how small.
“Link check traffic can be observed and analyzed by the party controlling the link check server and any entity observing network traffic. Even if the message content reveals nothing more than “a connected Android device,” the metadata (including the source IP) can be used to derive more information, particularly when combined with data such as WiFi access point locations .” Added Mullvad VPN.
The company also found that the leaked metadata would need to be de-anonymized, which requires a certain level of sophistication on the part of the attacker.
Google has clarified that the data in question is available over the L2 connection anyway. “While you’re ok with some traffic flowing outside the VPN tunnel, we think the setting’s name (‘Block connections without VPN’) and related Android documentation are misleading,” Mullvad VPN said. “The impression a user gets is that no traffic leaves the phone except through the VPN.”
Let us know if you enjoyed reading this news on LinkedIn, Twitter or Facebook. We’d love to hear from you!