Mullvad: Android may leak information when connected to a VPN

Martin Brinkmann
Oct 15, 2022
VPNs
|
25

Secure and private VPN provider Mullvad discovered that Android devices may leak information when connected to VPN services, which can't be prevented.

According to Mullvad's information, Android uses connectivity checks outside of the VPN tunnel when devices connect to wireless networks. What makes this even worse is that this happens even if the security feature Block connections without VPN is enabled on the device.

The data connections that happen outside of the boundaries of the VPN connection are done by purpose. Mullvad gives the example of captive portals on networks, which require that users authenticate before connectivity becomes available. Most Android users may want these checks, Mullvad notes.

ADVERTISEMENT

The leaking of information raises privacy concerns for some. Users may believe that their connection is protected against leaks when they use VPNs on Android.  The entity that controls the connectivity check server and any entity that is monitoring networking traffic may obtain the data. The metadata includes the source IP address and may be used to "derive further information", according to Mullvad; this would require a "sophisticated actor" according to the company.

Android does not include user facing options to disable traffic that is happening outside the VPN tunnel. Mullvad published a guide on disabling connectivity checks on Android. It requires development tools and is technical in nature.

The company reported the issue to Google, which responded with a "won't fix" status for the issue, stating that it is intended behavior.

"We have looked into the feature request you have reported and would like to inform you that this is working as intended. We do not think such an option would be understandable by most users, so we don't think there is a strong case for offering this."

Google's main arguments are that other traffic is also exempt from this, that some VPN's might use the connectivity information, and that little data is revealed during these checks. Mullvad argues that the leaking of data matters to some users, and that these users should get an option to block any leaky traffic if they want to.

Android users who need full protections against leaks have only one option: to modify the device using Mullvad's guide to block these connections from happening.

Now You: do you use VPN connections on your mobile devices?

Summary
Mullvad: Android may leak information when connected to a VPN
Article Name
Mullvad: Android may leak information when connected to a VPN
Description
Secure and private VPN provider Mullvad discovered that Android devices may leak information when connected to VPN services, which can't be prevented.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «

Comments

  1. Bonzo said on October 15, 2022 at 1:03 pm
    Reply

    “Won’t fix” =) We are very angry with you for discovering this and disclosing it to the public, we’re gonna sue your ass into oblivion – Google.
    So yeah, there go the last tiny particles of privacy credibility on Android. Or is this only on stock Android, meaning: can/do custom ROM developers remove this “feature”?

    1. Anonymous said on October 15, 2022 at 4:03 pm
      Reply

      Yes, custom ROMs can disable this. Mullvad note in their article that GrapheneOS allows users to disable these checks.

    2. technoviking said on October 15, 2022 at 4:38 pm
      Reply

      I believe GrapheneOS is the only custom ROM that allows you to change or disable connectivity checks.

      From the following website: https://grapheneos.org/faq

      “You can change the connectivity check URLs via the Settings ? Network & Internet ? Internet connectivity check setting. At the moment, it can be toggled between the GrapheneOS servers (default), the standard Google servers used by billions of other Android devices or disabled.

      By default, the GrapheneOS connectivity check servers are used via the following URLs:

      HTTPS: https://connectivitycheck.grapheneos.network/generate_204
      HTTP: http://connectivitycheck.grapheneos.network/generate_204
      HTTP fallback: http://grapheneos.online/gen_204
      HTTP other fallback: http://grapheneos.online/generate_204

      Changing this to the Standard (Google) mode will use the same URLs used by AOSP and the stock OS along with the vast majority of other devices, blending in with billions of other Android devices both with and without Play services:

      HTTPS: https://www.google.com/generate_204
      HTTP: http://connectivitycheck.gstatic.com/generate_204
      HTTP fallback: http://www.google.com/gen_204
      HTTP other fallback: http://play.googleapis.com/generate_204

      GrapheneOS also adds the ability to fully disable the connectivity checks. This results in the OS no longer handling captive portals itself, not falling back to other networks when some don’t have internet access and not being able to delay scheduled jobs depending on internet access until it becomes available.”

      1. Bonzo said on October 15, 2022 at 5:48 pm
        Reply

        Shame GrapheneOS is for Pixel phones only, can’t even buy those in Scandinavia. I have never met a person who has owned a Pixel phone at any point in time, come to think of it I have not ever met a person that has even seen a Pixel phone in real life. That’s how great they are.

      2. technoviking said on October 16, 2022 at 4:10 am
        Reply

        Look on eBay or some sort of similar website if you want to purchase a Pixel. That’s what I had to do.

        There are several reasons why GrapheneOS is only available for Pixel phones as outlined here mainly revolving around the inherit security offered by the Tensor chip and verified boot.

      3. Bonzo said on October 16, 2022 at 3:53 pm
        Reply

        @technoviking
        This looks rather interesting https://simplephone.tech/

        @joe
        Crawl back to wherever you came from.

      4. joe said on October 16, 2022 at 11:59 am
        Reply

        You can buy them in scandinavia. Where have you been the last two weeks? Under a rock?

      5. technoviking said on October 16, 2022 at 4:01 pm
        Reply

        “Where have you been the last two weeks? Under a rock?”

        That’s entirely plausible. There are a lot of large rocks in Scandinavia the last time I visited.

      6. Pixel said on October 20, 2022 at 5:33 am
        Reply

        After seeing articles about iPhone leaking and android leaking I got a pixel 7 over 400 in trade in for xr that was a good deal

  2. Anonymous said on October 15, 2022 at 3:10 pm
    Reply

    Oh good!

  3. Skyflakes said on October 15, 2022 at 4:01 pm
    Reply

    Guys at Mullvad do realized that each android phone is equipped with Qualcomm modem that is basically a full computer, with it’s own CPU, RAM and OS?

    It is a separate entity that connects, diagnose traffic and do many things that are not controlled by the phone OS or it’s SoC. When you disable WiFi (or Bluetooth) you are just telling the OS not connect to Qualcomm modem, but the modem itself is always alive (same concept with Always-On-VPN. Traffic of the Qualcomm modem is not part of the phone OS, aka not part of the VPN).

    On PC side, its equivalent of modern router that has it’s own internet traffic (firmware, diagnosis, security checks, etc).

    Also your custom Android ROM rules doesn’t apply to the modem.

  4. Tachy said on October 15, 2022 at 5:51 pm
    Reply

    Are people really this gullible?

    Cell phones are purposely designed and built to gather and send home as much data as they can about [B][U] everything [/U][/B] within their signal range.

    Calling a function a leak is just irresponsible clickbait.

    1. Joe Hardy said on October 16, 2022 at 1:21 am
      Reply

      I agree. All the devices we use are designed to be data collectors. It’s impossible to get off the grid. It’s not right but the genie is out of the bottle. You have to manage your spending and not respond to the pressure and manipulation to consume mindlessly. That’s the only weapon left.

  5. Andy Prough said on October 15, 2022 at 6:26 pm
    Reply

    I don’t think this works against the Netguard app. I’ve noticed that while using Netguard, the captive portals for public WiFi networks were not available.

    Also I don’t think that entering 3 abp shell commands is actually all that difficult. Most regular users could figure out how to change the config by following steps on a video. I’m sure that some of the privacy oriented youtubers like Mental Outlaw and SwitchedToLinux will put up how-to videos soon.

  6. iOs too said on October 15, 2022 at 6:35 pm
    Reply

    iOs leaks information too. I wait for fixing that bug or planned feature.

    https://forums.macrumors.com/threads/ios-16-vpn-tunnels-leak-data-even-when-lockdown-mode-is-enabled.2365399/

  7. jan said on October 15, 2022 at 9:00 pm
    Reply

    The data connections that happen outside of the boundaries of the VPN connection are done by purpose.
    That is obvious

    The company reported the issue to Google, which responded with a “won’t fix” status for the issue, stating that it is intended behavior.
    “We have looked into the feature request you have reported and would like to inform you that this is working as intended. We do not think such an option would be understandable by most users, so we don’t think there is a strong case for offering this.”
    Google playing god who knows it all.

    Most likely the result of pressure from Nat Security Agency.

  8. Dennis said on October 16, 2022 at 1:24 am
    Reply

    This is not good news, but I’m not surprised this happens….

    I’ve ExpressVPN on my mobile and I use the Split Tunneling option allowing only a very few selected apps to use the VPN for internet access, then in Android Settings enabling both Always-on VPN and Block connections without VPN in perhaps a futile attempt to stop this sort of behaviour. These are not the recommended settings as it defeats the stated purpose of Split Tunneling, but it seems to work as something of a firewall in this configuration, blocking internet access for all other apps, *as far as I can tell*, but I can’t say this limits background connections from the system or other apps, though…..

    One can’t use NetGuard and a VPN together because there’s only a single network slot in Android for one or the other…..

    1. Andy Prough said on October 16, 2022 at 3:00 am
      Reply

      >”One can’t use NetGuard and a VPN together because there’s only a single network slot in Android for one or the other”

      Just use Tor Browser if you need to use Netguard and hide your IP address.

  9. Alex said on October 16, 2022 at 5:33 am
    Reply

    Thanks for the article, Martin. Just in time. I was just about to configure my devices with a VPN.
    Time to brush up on my ADB knowledge.

  10. Janne said on October 16, 2022 at 7:45 am
    Reply

    “Most users” Who care about that, other than normie friendly google. Are they serious about this (yes). This “think that they are stupid as they can” mentality need to be stopped in google. They who applied this kind of mentality, can go work to Apple and leave Android for users who care about features and privacy.

  11. Graham said on October 16, 2022 at 4:46 pm
    Reply

    What about Tor browser on top of VPN? Does that accomplish anything to eliminate this data “leak”?

  12. plusminus_ said on October 16, 2022 at 7:23 pm
    Reply

    Ah, checked my settings and found I had already changed my captive portal settings to use Mr. Kuketz’ checker, which I found in this list of alternative checkers: https://gearjail.neocities.org/cp-provider.html

    I was reluctant to disable captive portal mode completely but I almost never use public Wi-Fi anyway!

  13. Anonymous said on October 16, 2022 at 8:43 pm
    Reply

    People who pretend they are ‘safer’ because they are paying to let all their traffic go through some random server they don’t know anything about, deserve any data to leak.
    And you know, how you have to create an account, which already can identify you, and provide Billing information.
    It’s just like when scream “password manager” which they are required to do same, trust random servers, provide personal information away from their physical device, so they have no control about it.

  14. Chris said on October 17, 2022 at 9:30 am
    Reply

    If you’re serious about privacy and security, just run GrapheneOS…

  15. Dennis said on October 17, 2022 at 7:50 pm
    Reply

    Last evening, I sacked up and disabled connectivity checks on my Android mobile following the directions from Mullvad in the link above. It wasn’t difficult at all! (I’m now tempted to try rooting this thing, again, so I can remove even more Google cooties…)

    Now, I need some way to test if I’ve actually accomplished anything…

    I suppose I could venture into town and wander about to find a public wi-fi connection with a captive portal to which I expect to be unable to access now…… This is the part that seems to be the most daunting!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.