Is Android quietly undermining your VPN service?

Data leak
(Image credit: Shutterstock/dalebor)

It has been discovered that Android devices are designed to leak some user data when connecting to a new Wi-Fi network, and even the best VPN services cannot stop it. 

Mullvad VPN identified the quirk during a recent security audit, reporting that data leakage also occurs when the "Block connections without VPN (or VPN lockdown)" and/or "Always-on VPN" options are enabled. 

The data exposed during the connectivity check includes people's real IP address, DNS lookups, HTTPS and NTP traffic.

However, the leak does not appear to be a malfunction. In response to questions from the provider, Google explained that both of the features work as intended. 

Android features deceiving VPN users 

A VPN is a tool that people use, among other things, to encrypt internet traffic while hiding their real IP location. This allows access to censored sites, avoids bandwidth throttling and secures online anonymity - the latter point being especially important on public Wi-Fi connections. 

However, certain wireless networks (like hotel or public transport Wi-Fi, for example) might require a connectivity check before establishing the connection. And it's exactly on these occasions that Android VPN services leak some traffic details, whether or not the option to block unprotected connections has been activated. 

"We understand why the Android system wants to send this traffic by default," wrote  Mullvad VPN in a blog post. "However, this can be a privacy concern for some users with certain threat models."

Following Mullvad's request for an additional option to disable these connectivity checks when the "VPN lockdown" is on, Google developers explained that the leak is actually a design choice.

Specifically, the company claims that some VPN apps rely on these checks to properly function. The developers also said there are other exemptions that might be more risky, like those applied to some privileged applications. They also believe that the impact on users' privacy is minimal.

After taking into consideration the points raised by Google, Mullvad still thinks that its suggested additional feature could be beneficial for users. Most importantly, the provider is calling the big tech giant to at least be more transparent about its features.

"Even if you are fine with some traffic going outside the VPN tunnel, we think the name of the setting ('Block connections without VPN') and Android’s documentation around it is misleading. The impression a user gets is that no traffic will leave the phone except through the VPN."  

What's at stake for Android users?

According to Google, the privacy risks are basically non-existent for most people. However, Mullvad argues that the metadata exposed could be enough for experienced hackers to de-anonymize this information and track down users. 

"The connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic," explained the secure VPN provider. 

"Even if the content of the message does not reveal anything more than 'some Android device connected,' the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as Wi-Fi access point locations."

This might not be relevant for everyday users, but it could negatively affect those for whom privacy is paramount. After all, it's likely they have turned on the VPN lockdown feature exactly for this reason. 

TechRadar Pro has contacted Google for further information, but did not receive an immediate response.

TOPICS
Chiara Castro
News Editor (Tech Software)

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life – wherever cybersecurity, markets, and politics tangle up. She writes news, interviews, and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar and TechRadar Pro. Got a story, tip-off, or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

Read more
 laptop with warning symbol on desk
Experts predict malware may impact 39% of free Android VPNs by 2025 – but that's not the only worry
malware
Google warns of legit VPN apps being used to infect devices with malware
Mullvad VPN working on a laptop
VPN firm warns against encryption backdoor in new ad
Vector illustration of the word Censored in a glitch distorted style
Google, Apple, and internet restriction – how Big Tech is making censorship "much worse" according to experts
Polygonal vector illustration of the virtual private network's shield reading VPN and world map on the background
The cost of a ‘free’ VPN: When cheap is expensive
Laptop with binary computer code and India flag on the screen
VPNs are disappearing from India's app stores – and a 2022 law may be the culprit
Latest in VPN
Close up of PS5 DualSense controller leaning on a PS5
5 reasons your PS5 needs a VPN
Harry Halpin, CEO and co-founder of Nym Technologies, and Chelsea Manning, Nym Technlogies' security consultant, on stage at the Frontline Club in London during the NymVPN launch on March 13, 2025.
NymVPN is now live – here's everything you need to know
Tor
What is Onion over VPN?
Green background featuring laptop with connect button
I tried the "world's most secure VPN" and while it's not the VPN you'll want, you'll need it sooner than you think
A representational concept of a social media network
What are data removal services?
ExpressVPN's Lightway Turbo upgrade – promo image
Can fast be faster? ExpressVPN promises it’s possible
Latest in News
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Ray-Ban smart glasses with the Cpperni logo, an LED array, and a MacBook Air with M4 next to ecah other.
ICYMI: the week's 7 biggest tech stories from Twitter's massive outage to iRobot's impressive new Roombas
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight