Mullvad: Android may leak information when connected to a VPN
Secure and private VPN provider Mullvad discovered that Android devices may leak information when connected to VPN services, which can't be prevented.
According to Mullvad's information, Android uses connectivity checks outside of the VPN tunnel when devices connect to wireless networks. What makes this even worse is that this happens even if the security feature Block connections without VPN is enabled on the device.
The data connections that happen outside of the boundaries of the VPN connection are done by purpose. Mullvad gives the example of captive portals on networks, which require that users authenticate before connectivity becomes available. Most Android users may want these checks, Mullvad notes.
The leaking of information raises privacy concerns for some. Users may believe that their connection is protected against leaks when they use VPNs on Android. The entity that controls the connectivity check server and any entity that is monitoring networking traffic may obtain the data. The metadata includes the source IP address and may be used to "derive further information", according to Mullvad; this would require a "sophisticated actor" according to the company.
Android does not include user facing options to disable traffic that is happening outside the VPN tunnel. Mullvad published a guide on disabling connectivity checks on Android. It requires development tools and is technical in nature.
The company reported the issue to Google, which responded with a "won't fix" status for the issue, stating that it is intended behavior.
"We have looked into the feature request you have reported and would like to inform you that this is working as intended. We do not think such an option would be understandable by most users, so we don't think there is a strong case for offering this."
Google's main arguments are that other traffic is also exempt from this, that some VPN's might use the connectivity information, and that little data is revealed during these checks. Mullvad argues that the leaking of data matters to some users, and that these users should get an option to block any leaky traffic if they want to.
Android users who need full protections against leaks have only one option: to modify the device using Mullvad's guide to block these connections from happening.
Now You: do you use VPN connections on your mobile devices?