Mullvad: Android may leak information when connected to a VPN
Secure and private VPN provider Mullvad discovered that Android devices may leak information when connected to VPN services, which can't be prevented.
According to Mullvad's information, Android uses connectivity checks outside of the VPN tunnel when devices connect to wireless networks. What makes this even worse is that this happens even if the security feature Block connections without VPN is enabled on the device.
The data connections that happen outside of the boundaries of the VPN connection are done by purpose. Mullvad gives the example of captive portals on networks, which require that users authenticate before connectivity becomes available. Most Android users may want these checks, Mullvad notes.
The leaking of information raises privacy concerns for some. Users may believe that their connection is protected against leaks when they use VPNs on Android. The entity that controls the connectivity check server and any entity that is monitoring networking traffic may obtain the data. The metadata includes the source IP address and may be used to "derive further information", according to Mullvad; this would require a "sophisticated actor" according to the company.
Android does not include user facing options to disable traffic that is happening outside the VPN tunnel. Mullvad published a guide on disabling connectivity checks on Android. It requires development tools and is technical in nature.
The company reported the issue to Google, which responded with a "won't fix" status for the issue, stating that it is intended behavior.
"We have looked into the feature request you have reported and would like to inform you that this is working as intended. We do not think such an option would be understandable by most users, so we don't think there is a strong case for offering this."
Google's main arguments are that other traffic is also exempt from this, that some VPN's might use the connectivity information, and that little data is revealed during these checks. Mullvad argues that the leaking of data matters to some users, and that these users should get an option to block any leaky traffic if they want to.
Android users who need full protections against leaks have only one option: to modify the device using Mullvad's guide to block these connections from happening.
Now You: do you use VPN connections on your mobile devices?
Root the device with Magisk, add a module called “Magisk Captive Control,” change your connectivity server from Google to Kuketz IT-Security or disable it all together.
Last evening, I sacked up and disabled connectivity checks on my Android mobile following the directions from Mullvad in the link above. It wasn’t difficult at all! (I’m now tempted to try rooting this thing, again, so I can remove even more Google cooties…)
Now, I need some way to test if I’ve actually accomplished anything…
I suppose I could venture into town and wander about to find a public wi-fi connection with a captive portal to which I expect to be unable to access now…… This is the part that seems to be the most daunting!
If you’re serious about privacy and security, just run GrapheneOS…
People who pretend they are ‘safer’ because they are paying to let all their traffic go through some random server they don’t know anything about, deserve any data to leak.
And you know, how you have to create an account, which already can identify you, and provide Billing information.
It’s just like when scream “password manager” which they are required to do same, trust random servers, provide personal information away from their physical device, so they have no control about it.
Mullvad requires no personal information, not even an email address. You create an account, which is random generated numbers, and you can add time with cryptocurrency. Create a crypto wallet and use the same wallet for adding time to mullvad and nothing else. When you run out of time, ditch that account and create a new one.
Ah, checked my settings and found I had already changed my captive portal settings to use Mr. Kuketz’ checker, which I found in this list of alternative checkers: https://gearjail.neocities.org/cp-provider.html
I was reluctant to disable captive portal mode completely but I almost never use public Wi-Fi anyway!
What about Tor browser on top of VPN? Does that accomplish anything to eliminate this data “leak”?
“Most users” Who care about that, other than normie friendly google. Are they serious about this (yes). This “think that they are stupid as they can” mentality need to be stopped in google. They who applied this kind of mentality, can go work to Apple and leave Android for users who care about features and privacy.
Thanks for the article, Martin. Just in time. I was just about to configure my devices with a VPN.
Time to brush up on my ADB knowledge.
This is not good news, but I’m not surprised this happens….
I’ve ExpressVPN on my mobile and I use the Split Tunneling option allowing only a very few selected apps to use the VPN for internet access, then in Android Settings enabling both Always-on VPN and Block connections without VPN in perhaps a futile attempt to stop this sort of behaviour. These are not the recommended settings as it defeats the stated purpose of Split Tunneling, but it seems to work as something of a firewall in this configuration, blocking internet access for all other apps, *as far as I can tell*, but I can’t say this limits background connections from the system or other apps, though…..
One can’t use NetGuard and a VPN together because there’s only a single network slot in Android for one or the other…..
>”One can’t use NetGuard and a VPN together because there’s only a single network slot in Android for one or the other”
Just use Tor Browser if you need to use Netguard and hide your IP address.
The data connections that happen outside of the boundaries of the VPN connection are done by purpose.
That is obvious
The company reported the issue to Google, which responded with a “won’t fix” status for the issue, stating that it is intended behavior.
“We have looked into the feature request you have reported and would like to inform you that this is working as intended. We do not think such an option would be understandable by most users, so we don’t think there is a strong case for offering this.”
Google playing god who knows it all.
Most likely the result of pressure from Nat Security Agency.
iOs leaks information too. I wait for fixing that bug or planned feature.
https://forums.macrumors.com/threads/ios-16-vpn-tunnels-leak-data-even-when-lockdown-mode-is-enabled.2365399/
I don’t think this works against the Netguard app. I’ve noticed that while using Netguard, the captive portals for public WiFi networks were not available.
Also I don’t think that entering 3 abp shell commands is actually all that difficult. Most regular users could figure out how to change the config by following steps on a video. I’m sure that some of the privacy oriented youtubers like Mental Outlaw and SwitchedToLinux will put up how-to videos soon.
Are people really this gullible?
Cell phones are purposely designed and built to gather and send home as much data as they can about [B][U] everything [/U][/B] within their signal range.
Calling a function a leak is just irresponsible clickbait.
I agree. All the devices we use are designed to be data collectors. It’s impossible to get off the grid. It’s not right but the genie is out of the bottle. You have to manage your spending and not respond to the pressure and manipulation to consume mindlessly. That’s the only weapon left.
Guys at Mullvad do realized that each android phone is equipped with Qualcomm modem that is basically a full computer, with it’s own CPU, RAM and OS?
It is a separate entity that connects, diagnose traffic and do many things that are not controlled by the phone OS or it’s SoC. When you disable WiFi (or Bluetooth) you are just telling the OS not connect to Qualcomm modem, but the modem itself is always alive (same concept with Always-On-VPN. Traffic of the Qualcomm modem is not part of the phone OS, aka not part of the VPN).
On PC side, its equivalent of modern router that has it’s own internet traffic (firmware, diagnosis, security checks, etc).
Also your custom Android ROM rules doesn’t apply to the modem.
Oh good!
“Won’t fix” =) We are very angry with you for discovering this and disclosing it to the public, we’re gonna sue your ass into oblivion – Google.
So yeah, there go the last tiny particles of privacy credibility on Android. Or is this only on stock Android, meaning: can/do custom ROM developers remove this “feature”?
I believe GrapheneOS is the only custom ROM that allows you to change or disable connectivity checks.
From the following website: https://grapheneos.org/faq
“You can change the connectivity check URLs via the Settings ? Network & Internet ? Internet connectivity check setting. At the moment, it can be toggled between the GrapheneOS servers (default), the standard Google servers used by billions of other Android devices or disabled.
By default, the GrapheneOS connectivity check servers are used via the following URLs:
HTTPS: https://connectivitycheck.grapheneos.network/generate_204
HTTP: http://connectivitycheck.grapheneos.network/generate_204
HTTP fallback: http://grapheneos.online/gen_204
HTTP other fallback: http://grapheneos.online/generate_204
Changing this to the Standard (Google) mode will use the same URLs used by AOSP and the stock OS along with the vast majority of other devices, blending in with billions of other Android devices both with and without Play services:
HTTPS: https://www.google.com/generate_204
HTTP: http://connectivitycheck.gstatic.com/generate_204
HTTP fallback: http://www.google.com/gen_204
HTTP other fallback: http://play.googleapis.com/generate_204
GrapheneOS also adds the ability to fully disable the connectivity checks. This results in the OS no longer handling captive portals itself, not falling back to other networks when some don’t have internet access and not being able to delay scheduled jobs depending on internet access until it becomes available.”
Shame GrapheneOS is for Pixel phones only, can’t even buy those in Scandinavia. I have never met a person who has owned a Pixel phone at any point in time, come to think of it I have not ever met a person that has even seen a Pixel phone in real life. That’s how great they are.
You can buy them in scandinavia. Where have you been the last two weeks? Under a rock?
After seeing articles about iPhone leaking and android leaking I got a pixel 7 over 400 in trade in for xr that was a good deal
“Where have you been the last two weeks? Under a rock?”
That’s entirely plausible. There are a lot of large rocks in Scandinavia the last time I visited.
Look on eBay or some sort of similar website if you want to purchase a Pixel. That’s what I had to do.
There are several reasons why GrapheneOS is only available for Pixel phones as outlined here mainly revolving around the inherit security offered by the Tensor chip and verified boot.
@technoviking
This looks rather interesting https://simplephone.tech/
@joe
Crawl back to wherever you came from.
Yes, custom ROMs can disable this. Mullvad note in their article that GrapheneOS allows users to disable these checks.