It has been discovered that Android devices are designed to leak some user data when connecting to a new Wi-Fi network, and even the best VPN services cannot stop it.
Mullvad VPN identified the quirk during a recent security audit, reporting that data leakage also occurs when the "Block connections without VPN (or VPN lockdown)" and/or "Always-on VPN" options are enabled.
The data exposed during the connectivity check includes people's real IP address, DNS lookups, HTTPS and NTP traffic.
However, the leak does not appear to be a malfunction. In response to questions from the provider, Google explained that both of the features work as intended.
Android leaks traffic when performing its connectivity check and neither VPN services nor you can prevent it, https://t.co/FPhhqyYXiiOctober 10, 2022
Android features deceiving VPN users
A VPN is a tool that people use, among other things, to encrypt internet traffic while hiding their real IP location. This allows access to censored sites, avoids bandwidth throttling and secures online anonymity - the latter point being especially important on public Wi-Fi connections.
However, certain wireless networks (like hotel or public transport Wi-Fi, for example) might require a connectivity check before establishing the connection. And it's exactly on these occasions that Android VPN services leak some traffic details, whether or not the option to block unprotected connections has been activated.
"We understand why the Android system wants to send this traffic by default," wrote Mullvad VPN in a blog post. "However, this can be a privacy concern for some users with certain threat models."
Following Mullvad's request for an additional option to disable these connectivity checks when the "VPN lockdown" is on, Google developers explained that the leak is actually a design choice.
Specifically, the company claims that some VPN apps rely on these checks to properly function. The developers also said there are other exemptions that might be more risky, like those applied to some privileged applications. They also believe that the impact on users' privacy is minimal.
After taking into consideration the points raised by Google, Mullvad still thinks that its suggested additional feature could be beneficial for users. Most importantly, the provider is calling the big tech giant to at least be more transparent about its features.
"Even if you are fine with some traffic going outside the VPN tunnel, we think the name of the setting ('Block connections without VPN') and Android’s documentation around it is misleading. The impression a user gets is that no traffic will leave the phone except through the VPN."
What's at stake for Android users?
According to Google, the privacy risks are basically non-existent for most people. However, Mullvad argues that the metadata exposed could be enough for experienced hackers to de-anonymize this information and track down users.
"The connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic," explained the secure VPN provider.
"Even if the content of the message does not reveal anything more than 'some Android device connected,' the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as Wi-Fi access point locations."
This might not be relevant for everyday users, but it could negatively affect those for whom privacy is paramount. After all, it's likely they have turned on the VPN lockdown feature exactly for this reason.
TechRadar Pro has contacted Google for further information, but did not receive an immediate response.