Mullvad, a VPN provider, has identified a privacy concern for Android users: devices may inadvertently leak information when connected to VPNs. This issue arises because Android performs connectivity checks outside the VPN tunnel, even with the “Block connections without VPN” security feature enabled. These checks, designed for functions like authenticating on captive portals, occur independently of the VPN connection.
The concern centers on the potential exposure of user data, including source IP addresses, to those controlling connectivity check servers or monitoring network traffic. Such data could be exploited by sophisticated entities for further analysis. Mullvad stresses that while most Android users might not object to these checks, the privacy implications are significant for those relying on VPNs for complete security.
Android lacks user-facing options to disable this external traffic, prompting Mullvad to publish a technical guide on how to manually disable these connectivity checks. However, Google has responded to this issue by classifying it as intended behavior, arguing that the data revealed is minimal and the option to disable such traffic might confuse most users. They also point out that some VPNs may utilize this connectivity information.
Mullvad counters by emphasizing the importance of offering users the choice to prevent any potential data leaks. For Android users seeking absolute leak protection, the only current solution is to follow Mullvad’s guide to modify device settings and block these external connections.