Android Leaks Wi-Fi Traffic Even When VPN Protection Features Are On

/in


Android devices are leaking certain traffic when a mobile device is connected to a Wi-Fi network, even when features aimed to protect data being sent over the public Internet by using virtual private networks (VPNs) are enabled.

The issue could poke a hole in a user’s ability to remain anonymous when using a VPN to encrypt data being sent from an Android device over a public Wi-Fi network, allowing a would-be attacker to monitor a user’s traffic and even pinpoint someone’s location, researchers noted.

A security audit conducted by Mullvad VPN identified the issue, which it reported to Google‘s Android team. It found that the Android mobile OS — which has nearly 3 billion users worldwide — is sending connectivity checks outside the VPN tunnel.

“It does this every time the device connects to a Wi-Fi network, even when the Block connections without VPN setting is enabled,” they wrote in the post. “The connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic.

This could allow a threat actor to derive information beyond merely the fact that the Android device is connected, such as a user’s location if “combined with data such as Wi-Fi access point locations,” the Mullvad researchers noted.

Android, for its part, says the function is working as intended, and that no fix is necessary.

Defending Default Behavior

It makes sense for Android to send connectivity data traffic by default, the Mullvad researchers acknowledged, such as when there is a captive portal on the network, they said.

In this case, the connection will be unusable until the user has logged in to it, “so most users will want the captive portal check to happen and allow them to display and use the portal,” the researchers wrote.

Still, as there seems to be no way to prevent Android from leaking traffic, the issue remains unresolved and potentially a risk for some users, the researchers said. Moreover, Android’s current documentation about how the OS blocks connections without a VPN is misleading, they wrote, even if a user is “fine with some traffic going outside the VPN tunnel.”

As it would require a “sophisticated actor” to…

Source…