Mullvad: Android can leak information when connected to a VPN

Secure and private VPN provider Mullvad discovered that Android devices can leak information when connected to VPN services, which cannot be prevented.

According to Mullvad’s information, Android uses connectivity checks outside the VPN tunnel when devices connect to wireless networks. What makes this worse is that this happens even if the security feature Block connections without VPN is enabled on the device.

The data connections that take place outside the boundaries of the VPN connection are done on purpose. Mullvad gives the example of captive portals on networks, which require users to authenticate before connectivity becomes available. Most Android users may want these checks, Mullvad notes.

Information leakage raises privacy concerns for some. Users may think that their connection is protected from leaks when using VPNs on Android. The entity that controls the connectivity check server and any entity that monitors the network traffic can obtain the data. The metadata includes the source IP address and can be used to “get more information,” Mullvad said; that would require an “advanced actor”, according to the company.

Android does not include user-facing options to disable traffic outside the VPN tunnel. Mullvad has published a guide on how to disable connectivity checks on Android. It requires development tools and is technical in nature.

The company reported the issue to Google, which responded with an “not resolved” status for the issue, stating that it was intended behavior.

“We’ve investigated the feature request you reported and would like to let you know that it works as intended. We don’t think such an option will be understandable to most users, so we don’t think there’s a strong case for this offering.”

Google’s main arguments are that other traffic is also exempt from this, that some VPNs can use the connectivity information, and that little data is revealed during these checks. Mullvad argues that data leakage is of concern to some users and that these users should be given an option to block any leaked traffic.

Android users who need full protection against leaks have only one option: modify the device using Mullvad’s guide to prevent these connections from happening.

Now you: Do you use VPN connections on your mobile devices?

Advertisement