Is Android quietly undermining your VPN service?

Mullvad VPN sounds alarm over data leak discovered during security audit

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

It has been discovered thatAndroid devicesare designed to leak some user data when connecting to a new Wi-Fi network, and even thebest VPNservices cannot stop it.

Mullvad VPNidentified the quirk during a recent security audit, reporting that data leakage also occurs when the “Block connections without VPN (or VPN lockdown)” and/or “Always-on VPN” options are enabled.

The data exposed during the connectivity check includes people’s realIP address, DNS lookups, HTTPS and NTP traffic.

However, the leak does not appear to be a malfunction. In response to questions from the provider,Googleexplained that both of the features work as intended.

Android leaks traffic when performing its connectivity check and neither VPN services nor you can prevent it, https://t.co/FPhhqyYXiiOctober 10, 2022

Android features deceiving VPN users

AVPNis a tool that people use, among other things, to encrypt internet traffic while hiding their real IP location. This allows access to censored sites, avoids bandwidth throttling and secures online anonymity - the latter point being especially important on public Wi-Fi connections.

However, certain wireless networks (like hotel or public transport Wi-Fi, for example) might require a connectivity check before establishing the connection. And it’s exactly on these occasions thatAndroid VPN servicesleak some traffic details, whether or not the option to block unprotected connections has been activated.

“We understand why the Android system wants to send this traffic by default,” wrote  Mullvad VPN in ablog post. “However, this can be a privacy concern for some users with certain threat models.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

VPNs on iOS are “broken” and Apple doesn’t seem to be doing anything to fix it>How to protect your privacy on your Android phone>Our pick of the best Android VPN apps around right now

FollowingMullvad’s requestfor an additional option to disable these connectivity checks when the “VPN lockdown” is on, Google developers explained that the leak is actually a design choice.

Specifically, the company claims that some VPN apps rely on these checks to properly function. The developers also said there are other exemptions that might be more risky, like those applied to some privileged applications. They also believe that the impact on users' privacy is minimal.

After taking into consideration the points raised by Google, Mullvad still thinks that its suggested additional feature could be beneficial for users. Most importantly, the provider is calling the big tech giant toat leastbe more transparent about its features.

“Even if you are fine with some traffic going outside the VPN tunnel, we think the name of the setting (‘Block connections without VPN’) andAndroid’s documentationaround it is misleading. The impression a user gets is that no traffic will leave the phone except through the VPN.”

What’s at stake for Android users?

According to Google, the privacy risks are basically non-existent for most people. However, Mullvad argues that the metadata exposed could be enough for experienced hackers to de-anonymize this information and track down users.

“The connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic,” explained thesecure VPNprovider.

“Even if the content of the message does not reveal anything more than ‘some Android device connected,’ the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as Wi-Fi access point locations.”

This might not be relevant for everyday users, but it could negatively affect those for whom privacy is paramount. After all, it’s likely they have turned on the VPN lockdown featureexactlyfor this reason.

TechRadar Prohas contacted Google for further information, but did not receive an immediate response.

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up.She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

Is it still worth using Proton VPN Free?

Mozambique VPN usage soars as internet restrictions continue

I’ve used Genmoji and now I’m convinced Apple Intelligence will be a huge success