When connecting to a new Wi-Fi network, Android devices are designed to leak user information, but even the most powerful VPN services cannot stop it.
During a recent security review, Mullvad VPN identified the flaw, stating that data leakage occurs when "Block connections without VPN (or VPN lockdown)" and/or "Always-on VPN" options are included.
People''s real IP address, DNS searches, HTTPS, and NTP traffic are some of the data exposed during the connectivity check.
The leak does not appear to be a malfunction. Google has explained that both of the features function as intended.
When doing its connectivity check, Android leaks traffic, and neither VPN services nor you can prevent it, https://t.co/FPhqyYXiiOctober 10, 2022
Android features deceiving VPN users
VPN is a way people can, among others, to encrypt internet traffic while dissecting their real IP location. This allows access to censored sites, avoids bandwidth throttling, and ensures online anonymity, despite the latter being crucial on public Wi-Fi connections.
However, certain wireless networks (such as hotel or public transportation Wi-Fi, for example) might require a connectivity check before making a connection. And it''s exactly on these occasions that Android VPN services disclose some traffic details, whether or not the option to block unprotected connections has been activated.
In a blog post, Mullvad VPN said, "We understand why the Android system intends to send this traffic by default." "This can, however, be a privacy concern for some users with certain threats."
Following Mullvad''s request (opens in a new tab) for an additional feature to disable these connectivity checks when the "VPN lockdown is on, Google developers explained that the leak is actually a design choice.
The company claims that certain VPN apps depend on these procedures to function effectively. The developers said there are also limitations that might be more risky, such as those applied to certain privileged applications. They believe that privacy has been minimal.
Mullvad, however, believes that its expanded feature might be beneficial for users. Most importantly, the provider is calling the big tech giant to at least be more transparent about its features.
"We believe the description of the setting (''Block connections without VPN'') and Androids documentation (opens in a new tab) are misleading. The user''s perception is that no traffic will leave the phone except through the VPN."
What''''s at stake for Android users?
According to Google, privacy concerns are generally non-existent for most people. However, Mullvad believes that the metadata exposed might be enough for experienced hackers to de-anonymize this information and track down users.
"The connection check traffic can be observed and examined by the party controlling the connectivity check server and any entity observing the network traffic," said the secure VPN provider.
"Even if the content of the message does not reveal anything more than''some Android device connected,'' the metadata (which includes the source IP) may be used to collect further information, particularly if combined with data such as Wi-Fi access point locations."
It might not be appropriate for everyday users, but it might negatively impact those for whom privacy is paramount. It''s probable that they have just switched on the VPN lockdown feature just for this reason.