Swedish VPN provider Mullvad VPN has found that Android leaks certain information outside a VPN tunnel, such as IP addresses, DNS lookups, and HTTPS traffic, every time a device connects to a WiFi network. Mullvad said the devices leak traffic even when features like “Always-on VPN” are turned on.
Android devices offer a setting called “Block connections without VPN,” which blocks any network traffic that does not flow through a VPN tunnel. However, Mullvad said this is untrue, and users are not aware. It has written to Google urging it to provide a more accurate description of the feature.
On a similar note, Mullvad VPN has asked Google to make certain changes to prevent devices from leaking data when the “Block connections without VPN” setting is turned on.
News of devices leaking VPN traffic is not just an Android problem. In August, a researcher found that certain iOS devices leaked traffic outside of the VPN tunnel to communicate with Apple services such as FaceTime and Game Center. In that instance, the researcher ran his experiment using ProtonVPN and OVPN.
Android Urged to Disable Connectivity Checks
The issue stems from a design choice built into the Android operating system. Android devices run connectivity checks when connecting to Wifi networks, which forces some traffic to travel outside a VPN tunnel. Mullvad found that these devices leak connectivity check traffic even if the “Always-on VPN” feature is on.
Mullvad VPN made the discovery while conducting a security audit which has not been published yet. In an attempt to resolve the issue, the provider has raised a feature request with Google’s Issue Tracker. However, a Google engineer said the feature was functioning normally and that Google does not plan on changing it.
“We have looked into the feature request you have reported and would like to inform you that this is working as intended. We do not think such an option would be understandable by most users, so we don’t think there is a strong case for offering this,” the Google engineer said.
Privacy Impact of Android’s Connectivity Check Traffic Leak
The engineer also provided reasons for the feature’s functionality and questioned what the specific privacy impact would be. To this, Mullvad pointed out that the party controlling the connectivity check server will have access to the traffic. The party will also have the ability to deduce metadata and other information from the leaked traffic.
“Even if the content of the message does not reveal anything more than ‘some Android device connected,’ the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as WiFi access point locations,” Mullvad stated.
“However, as such a de-anonymization attempt would require a quite sophisticated actor, most of our users are probably unlikely consider it a significant risk,” it added.
Mullvad’s made another request concerning the description of the “Block connections without VPN” setting. Mullvad found that certain traffic is exempt from this setting. This includes connectivity checks, NTP or Network Time Protocol traffic, and certain incoming traffic. The provider says updating the documentation is important because it has the potential to impact user privacy.
Mullvad made the request on September 30, before asking Google to disable connectivity checks on Android.
If you found this story interesting and are curious to learn more about VPNs, our explainer is the perfect place to start. You could also check out our list of the best VPNs for Android devices.
