Android devices are leaking certain traffic when a mobile device is connected to a Wi-Fi network, even when features aimed to protect data being sent over the public Internet by using virtual private networks (VPNs) are enabled.
The issue could poke a hole in a user's ability to remain anonymous when using a VPN to encrypt data being sent from an Android device over a public Wi-Fi network, allowing a would-be attacker to monitor a user's traffic and even pinpoint someone's location, researchers noted.
A security audit conducted by Mullvad VPN identified the issue, which it reported to Google's Android team. It found that the Android mobile OS — which has nearly 3 billion users worldwide — is sending connectivity checks outside the VPN tunnel.
"It does this every time the device connects to a Wi-Fi network, even when the Block connections without VPN setting is enabled," they wrote in the post. "The connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic.
This could allow a threat actor to derive information beyond merely the fact that the Android device is connected, such as a user's location if "combined with data such as Wi-Fi access point locations," the Mullvad researchers noted.
Android, for its part, says the function is working as intended, and that no fix is necessary.
Defending Default Behavior
It makes sense for Android to send connectivity data traffic by default, the Mullvad researchers acknowledged, such as when there is a captive portal on the network, they said.
In this case, the connection will be unusable until the user has logged in to it, "so most users will want the captive portal check to happen and allow them to display and use the portal," the researchers wrote.
Still, as there seems to be no way to prevent Android from leaking traffic, the issue remains unresolved and potentially a risk for some users, the researchers said. Moreover, Android's current documentation about how the OS blocks connections without a VPN is misleading, they wrote, even if a user is "fine with some traffic going outside the VPN tunnel."
As it would require a "sophisticated actor" to use connectivity checks against someone using an Android phone, "most of our users are probably unlikely consider it a significant risk," the researchers acknowledged.
But the feature as currently documented by Android gives a user the impression "that no traffic will leave the phone except through the VPN" when the feature is turned on, which is not the case, the Mullvad researchers said.
Previously, on Sept. 29, Mullvad had posted on Android IssueTracker suggesting a change to the documentation regarding the "Block connections without VPN" feature to alert users to potential data leakage.
To remedy this issue, researchers suggested adding "except connectivity checks" to documentation references that claim the feature allows people using a device or an IT admin to force all traffic to use the VPN, or blocks any network traffic that doesn't use the VPN for clarification. The issue remains pending.
Dark Reading has reached out to Android for comment.
Connection Checks Working as Intended
The researchers reported the mobile system's actual leaking of connectivity data to Android on its IssueTracker message board site. Android responded quickly that it was looking into it.
A Google engineer later defended the current state of the "Block connections without VPN" feature, responding that the status of the issue is "Won't Fix" as "this is working as intended" in a comment posted Oct. 6.
The engineer stated four reasons for declining to add an option in Android to disable connectivity checks. One is that the VPN might be actually relying on the result of these connectivity checks, while another is that the VPN may be a split tunnel, letting part of the traffic over the underlying network, or only affect a given set of apps.
Further, the connectivity checks are far from the only thing exempted from the VPN, as privileged apps can also bypass the VPN, and this is necessary for their operation in many cases, the engineered stated.
Finally, Google's position is that it's unclear as to what specific impact on privacy the issue has, as "connectivity checks reveal there is an Android device at this address, which is plenty clear from the L2 connection and from the traffic going over the VPN anyway," according to the engineer.
Mullvad's point that the leak could pose a threat to some users certainly has validity, especially given the increased interest by state-sponsored threat actors to use spyware and other ways to monitor and even persecute high-profile Android users such as journalists, activists, academics, and politicians.
VPNs are meant to ensure that network connections using them encrypt Internet traffic over public networks, meaning that they use the IP address of a designated VPN service rather than someone's public IP address. This allows high-risk users who know they need extra security when their devices are connected to public Wi-Fi networks to hide their activity from prying eyes.
Mullvad acknowledged that there is nothing that the company or anyone else can do to fix the Android leaks if Google doesn't take action to change the OS.
However, there is one Android-based distribution, GrapheneOS, that gives users the option to disable connectivity checks within the mobile OS, the researchers said. With this feature enabled in devices using the distribution, Mullvad researchers said they could not observe the connections.
In light of this, the researchers reiterated their position that Google consider adopting this same ability to disable connectivity checks into stock Android, they concluded in their post.