mullvad vpn I identified a shuffle during a recent security audit, where I reported a data leak also when the “Block connections without VPN (or secure VPN)” and/or “VPN always on” options are enabled.
The data disclosed during the connection check includes real people data IP addressesDNS lookups, HTTPS and NTP traffic.
However, the leak does not appear to be a malfunction. In response to the provider’s questions, Google clarified that both features work as intended.
Android is leaking traffic when the connection check is running and you can’t and can’t block VPN services, https://t.co/FPhhqyYXiiOctober 10 2022
Android is characterized by deceiving VPN users
a vpn It is a tool that people use, among other things, to encrypt their internet traffic while masking their real IP location. This allows access to censored sites, avoids bandwidth throttling and secures online anonymity – the last point is especially important on public Wi-Fi connections.
However, some wireless networks (such as hotel Wi-Fi or public transportation, for example) may require that the connection be verified before the connection is established. This is exactly what happens on these occasions Android VPN Services Some traffic details are leaked, whether or not the option to block unprotected connections is activated.
Mullvad VPN wrote in a Blog Posts (Opens in a new tab). “However, this can be a privacy concern for some users with certain threat models.”
next request mulvad (Opens in a new tab) For an additional option to disable these connection checks when “Secure VPN” is turned on, Google’s developers explained that the leak is actually a design choice.
Specifically, the company claims that some VPN apps rely on these checks to function properly. The developers also said there are other exemptions that could be more serious, such as those applied to some premium apps. They also believe that the impact on users’ privacy is minimal.
After taking into account the points raised by Google, Mullvad still believes that the proposed additional feature may be useful to users. Most importantly, the provider makes contact with the tech giant at least Be more transparent about its features.
Even if you are fine with some of the traffic exiting the VPN tunnel, we believe the setting name (“Block Connections Without VPN”) and Android documentation (Opens in a new tab) Those around it are misleading. The impression the user gets is that no phone traffic will leave except through the VPN.”
What are the risks for Android users?
According to Google, privacy risks are essentially non-existent for most people. However, Mullvad argues that the exposed metadata may be enough for experienced hackers to de-anonymize this information and track users.
“The connection scan traffic can be observed and analyzed by the controlling party of the connection scan server and any entity that monitors network traffic,” he explained. secure vpn Provider.
Even if the message content reveals nothing more than “some connected Android device,” the metadata (which includes the source IP address) can be used to derive more information, especially if combined with data such as Wi-Fi access point locations. “
This may not be suitable for ordinary users, but it may negatively affect those for whom privacy is paramount. After all, it is possible that they have turned on the VPN security feature exactly for this reason.
Pro radar technology You contacted Google for more information, but did not receive an immediate response.