Mullvad, a VPN provider focused on security and privacy, has identified a potential data leakage issue on Android devices while they are connected to VPN services. This issue cannot be mitigated.
According to Mullvad’s findings, Android conducts connectivity checks outside the VPN tunnel when devices connect to wireless networks. What exacerbates this situation is that this occurs even when the security feature “Block connections without VPN” is enabled on the device.
The data connections occurring beyond the VPN’s protection are intentionally designed. Mullvad provides the example of captive portals on networks, which necessitate user authentication before granting connectivity. Most Android users may find these checks beneficial, as per Mullvad.
The revelation of this data leakage raises privacy concerns among some users. When employing VPNs on Android, users might assume that their connections are safeguarded against leaks. However, both the entity controlling the connectivity check server and any entity monitoring network traffic could potentially access this data. This metadata includes the source IP address and could be used to extract additional information, albeit this would require a “sophisticated actor,” according to Mullvad.
Unfortunately, Android lacks user-facing options to disable traffic that occurs outside the VPN tunnel. Mullvad has released a technical guide on how to disable connectivity checks on Android, which requires the use of development tools.
Mullvad has reported this issue to Google, but the response from Google is a “won’t fix” status, with Google asserting that this behavior is intentional. Google’s primary arguments are that other traffic is also exempt from this, some VPNs may rely on the connectivity information, and very little data is exposed during these checks. Mullvad, on the other hand, argues that data leakage is a concern for some users and that these users should have the option to block any leaky traffic if they desire.
For Android users seeking comprehensive protection against leaks, their only recourse is to follow Mullvad’s guide to block these external connections.