Mullvad VPN revealed that Android will still leak traffic every time a mobile device connects to WiFi, even if the “Always-on VPN” and “Block connections without VPN” is turned on.

Apparently, this behavior comes standard on the Android operating system and the folks behind the OS designed it by choice. Albeit, a lot of Android users may not be aware of it due to the inaccurate VPN Lockdown description in Android documentation.

The issue was discovered by Mullvad VPN during a security audit. The VPN provider then released the warning to spread awareness and get the attention of Google to do something about it.

VPNs, or virtual private networks, are used to avoid internet censorship and throttling. What’s more, it allows users to keep their privacy and anonymity while browsing the web. Here’s a full explanation if you need it.

Android devices have a native feature that allows users to block network connections until they’re using a VPN. The goal is to prevent the user’s IP address — which can reveal its identity — to be accidentally leaked.

Albeit, this feature can’t use its full potential to allow for special cases like connecting to a mall WiFi where identifying captive portals have to be checked before users can log in.

This is apparently the reason why Android was designed to leak some data when connecting to a new WiFi network, even if the “Block connections without VPN” is enabled.


Mulvad VPN is asking Google to give Android an option to disable connectivity checks.

“This option should be added as the current VPN lockdown behavior is to leaks connectivity check traffic (see this issue for incorrect documentation) which is not expected and might impact user privacy,” says Mulvad.

However, an engineer from Google has already responded by saying that they won’t fix the Android issue because a lot of VPNs actually use the results of the connectivity checks for them to function.

The engineer added that “The checks are neither the only nor the riskiest exemptions from VPN connections,” and, “the privacy impact is minimal, if not insignificant because the leaked information is already available from the L2 connection.”

Mullvad then countered by saying that “the connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic.”

“Even if the content of the message does not reveal anything more than “some Android device connected”, the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as WiFi access point locations,” the VPN provider added.

Mullvad added that if Google really doesn’t plan on fixing it, they should at least correct the documentation by saying that “Connectivity Checks” will not be protected and covered by the “Block Connections without VPN” feature.

Via: Bleeping Computer

Leave a comment

Your email address will not be published. Required fields are marked *