Connect with us


Android Leaks Wi-Fi Traffic Even When VPN Protection Features Are On




Android devices lose some traffic when a mobile device is connected to a Wi-Fi network, even when features to protect data sent over the public internet using virtual private networks (VPNs) are enabled.

The issue could punch a hole in a user’s ability to remain anonymous when using a VPN to encrypt data sent from an Android device over public Wi-Fi, allowing a potential attacker to monitor traffic. a user and even locate someone. , the researchers noted.

A security audit conducted by Mullvad VPN identified the issue, which it reported to Google’s Android team. He found that the Android mobile operating system – which has nearly 3 billion users worldwide – sends connectivity checks outside the VPN tunnel.

“It does this every time the device connects to a Wi-Fi network, even when the Block connections without VPN is enabled,” they wrote in the post. “Connection verification traffic may be observed and analyzed by the party controlling the connectivity verification server and any entity observing network traffic.

This could allow a threat actor to derive information beyond just the fact that the Android device is connected, such as a user’s location if “combined with data such as hotspot locations. Wi-Fi access,” noted the Mullvad researchers.

Android, for its part, says the feature works as expected and no patch is needed.

Default behavior defense

It makes sense for Android to send connectivity data traffic by default, the Mullvad researchers acknowledged, such as when there is a captive portal on the network, they said.

In this case, the connection will be unusable until the user logs into it, “so most users will want the captive portal check to occur and allow them to view and use the portal”, wrote the researchers.

Still, since there appears to be no way to prevent Android from losing traffic, the issue remains unresolved and potentially a risk for some users, the researchers said. Additionally, Android’s current documentation of how the OS blocks non-VPN connections is misleading, they wrote, even if a user is “ok with some traffic leaving the VPN tunnel” .

Since it would take a “sophisticated actor” to use connectivity checks against someone using an Android phone, “most of our users probably don’t see it as a significant risk,” the researchers acknowledged.

But the feature as it is currently documented by Android gives the user the impression that “no traffic will leave the phone except through the VPN” when the feature is enabled, which is not the case, have said the Mullvad researchers.

Earlier, on September 29, Mullvad posted on Android IssueTracker suggesting a change to the documentation regarding the “Block connections without VPN” feature to alert users to possible data leaks.

To remedy this problem, the researchers suggested adding “except connectivity controls” to documentation references that claim the feature allows people using a device or an IT administrator to force all traffic to use. the VPN, or block all network traffic that does not use the VPN. for clarification. The question remains unresolved.

Dark Reading has reached out to Android for comment.

Login checks work as expected

Researchers reported the actual leak of mobile system connectivity data to Android on its IssueTracker message board site. Android responded quickly that it was looking into the matter.

A Google engineer then defended the current state of the “Block connections without VPN” feature, responding that the status of the issue is “Won’t be fixed” because “it works as expected” in a comment posted on October 6.

The engineer gave four reasons for refusing to add an option in Android to disable connectivity checks. One is that the VPN may actually rely on the result of these connectivity checks, while another is that the VPN may be a split tunnel, leaving some traffic on the underlying network, or n affecting only a given set of applications.

Additionally, connectivity checks are far from the only thing exempt from VPN, as privileged apps can also bypass VPN, which is necessary for them to function in many cases, the engineer said.

Finally, Google’s position is that it is unclear what specific impact the issue has on privacy, as “connectivity checks reveal there is an Android device at this address, which is very clear from the L2 connection and traffic going through the VPN anyway,” according to the engineer.

High risk

Mullvad’s argument that the leak could pose a threat to some users is certainly valid, especially given the heightened interest of state-sponsored threat actors in using spyware and other means of monitor and even persecute high profile Android users such as journalists, activists, academics. , and politicians.

VPNs are intended to ensure that the network connections using them encrypt internet traffic on public networks, which means they use the IP address of a designated VPN service rather than someone’s public IP address. . This allows high-risk users who know they need extra security when their devices are connected to public Wi-Fi networks to hide their activity from prying eyes.

Mullvad acknowledged that there’s nothing the company or anyone else can do to fix Android leaks if Google doesn’t take steps to change the operating system.

However, there is an Android-based distro, GrapheneOS, that gives users the ability to disable connectivity controls in the mobile operating system, the researchers said. With this feature enabled in devices using the distro, Mullvad researchers said they could not observe connections.

In light of this, the researchers reiterated their position that Google was considering adopting this same capability to disable connectivity controls in stock Android, they concluded in their post.