A recent discovery by a user of Mullvad VPN has revealed a privacy concern for Android device users.
Despite the activation of the “Always-on VPN” feature, which is intended to maintain a VPN connection at all times, and the “Block connections without VPN” setting, which acts as a kill switch to ensure network traffic only passes through the VPN, Android devices have been found to leak DNS queries when switching between VPN servers.
The issue was first noticed on April 22 and appears to affect devices running the latest Android OS version, Android 14. The leak occurs during instances when applications make direct calls to the ‘getaddrinfo’ C function—a method used to translate text hostnames to IP addresses. This bug leads to DNS traffic being exposed when the VPN is active without a configured DNS server, or when the VPN application is reconfiguring the tunnel, encounters a crash or stops.
Mullvad clarified that apps relying solely on Android’s API, such as DnsResolver, do not exhibit this leaking behavior. However, apps like the Chrome browser that can use ‘getaddrinfo’ directly are susceptible to the issue. This finding is concerning because it goes against the expected behavior of the operating system, even when security features are enabled.
Considering the severity of this privacy issue, users may want to exercise caution when using Android devices for sensitive tasks or employ additional protective measures until Google addresses the bug and issues a patch for both current and older versions of the Android OS.
Source: Bleeping Computer