Famed VPN company Mullvad has found that Android circumvents VPNs and leaks data, raising privacy implications.
Mullvad is one of the leading VPN providers and consistently wins praise for being one of the most secure and private options on the market. Unlike many companies in the space, Mullvad has traceable ownership, anonymous payments, and has been audited by a third party.
In one of its latest security audits, Mullvad discovered an issue with Android. According to the company’s blog, the mobile operating system bypasses VPNs and leaks data, even when the option to Block connections without VPN is enabled:
We researched the reported leak, and concluded that Android sends connectivity checks outside the VPN tunnel. It does this every time the device connects to a WiFi network, even when the Block connections without VPN setting is enabled.
We understand why the Android system wants to send this traffic by default. If for instance there is a captive portal on the network, the connection will be unusable until the user has logged in to it. So most users will want the captive portal check to happen and allow them to display and use the portal. However, this can be a privacy concern for some users with certain threat models. As there seems to be no way to stop Android from leaking this traffic, we have reported it on the Android issue tracker.
Mullvad’s report outlines the potential privacy implications:
The connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic. Even if the content of the message does not reveal anything more than “some Android device connected”, the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as WiFi access point locations. However, as such an de-anonymization attempt would require a quite sophisticated actor, most of our users are probably unlikely consider it a significant risk.
There are third-party versions of Android that are designed to be more privacy and security-oriented. CalyxOS and GrapheneOS are two such examples, taking the open-source version of Android before Google loads it up with their software and releasing it.
GrapheneOS is already immune to this particular issue, and the CalyxOS devs are working on the issue.