An independent security audit has revealed the troubling news that Android is leaking user data every time an Android device connects to a Wi-Fi network when using a VPN.
If that wasn’t bad enough, it also found that the leaks even happened when a user enables the Block connections without VPN or Always-on VPN features too.
The issue has been put to Google along with a proposed solution. But astonishingly, a Google engineer has responded, saying the system was deliberately designed this way, and they have no intention of fixing it.
Mullvad VPN’s security audit casts light on Android security issues
The security issue with Android has come to light as a part of a security audit carried out by VPN provider Mullvad VPN.
The full audit has yet to be published, but Mullvad VPN has taken the fairly unusual step of going public with this issue in the hope of applying pressure on Google to do something about it.
The crux of the issue revolves around Android’s options that allow users to block all connections unless they are connected to a VPN. This is intended to prevent accidental leaks of the user’s actual IP address in the event that their VPN connection drops out. It is similar to the built-in kill switch that most reputable VPN providers offer these days.
This feature is important for Android users in hostile countries where internet censorship abounds and VPNs are vital to let people access the internet freely. There are often consequences if they are caught breaking censorship laws which can include jail time or worse.
However, Mullvad’s audit has discovered that Android can still leak some user data even when this feature is enabled. This includes some seriously compromising data, including real IP addresses, DNS lookups, HTTPS traffic, and most probably NTP traffic too.
Why does Android do this? Well, there are certain scenarios where it is necessary for an operating system to share some data. Examples of this include when connecting to a public Wi-Fi network or using split tunnelling features.
After uncovering the issue, Mullvad VPN submitted a feature request on Google’s Issue Tracker.
In it, they wrote, “This is a feature request for adding the option to disable connectivity checks while “Block connections without VPN” (from now on lockdown) is enabled for a VPN app.”
“This option should be added as the current VPN lockdown behaviour is to leak connectivity check traffic (see this issue for incorrect documentation) which is not expected and might impact user privacy.”
Remarkably, these concerns have been dismissed by the Google engineer who responded to the request.
They wrote that this was Android’s intended functionality and outlined three main reasons why this was the case:
- Many VPNs actually rely on the results of these connectivity checks to function,
- The checks are neither the only nor the riskiest exemptions from VPN connections,
- The privacy impact is minimal, if not insignificant because the leaked information is already available from the L2 connection.
Where we are at now
Mullvad has gone back to challenge these points, and, at the time of writing, the issue remains ongoing.
In their blog post explaining their stance, Mullvad VPN wrote that the data that is leaked could result in sensitive information, such as Wi-Fi location access points, being available.
They went on to explain that “Even if the content of the message does not reveal anything more than “some Android device connected”, the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as Wi-Fi access point locations.”
Their position is that contrary to what Google has said, some VPN users will consider the risks posed by this issue to be significant.
As well as fixing the issue, they have also urged Google to update their Android documentation to make it clear to users that ‘Connectivity Checks’ would not be protected by the “Block connections without VPN” feature.
We would agree with Mullvad VPN on this issue and urge Google to reconsider its stance on this issue. At the very least, we would hope they would make it clear to all users that there are scenarios where data can leak even if the Block connections without VPN or Always-on VPN features are enabled.