Android leaks some traffic even when 'Always-on VPN' is enabled

The data being leaked outside VPN tunnels includes source IP addresses, DNS lookups, HTTPS traffic, and likely also NTP traffic.

This behavior is built into the Android operating system and is a design choice. However, Android users likely didn't know this until now due to the inaccurate description of the "VPN Lockdown" features in Android's documentation.

Mullvad discovered the issue during a security audit that hasn't been published yet, issuing a warning October 10, 2022 to raise awareness on the matter and apply additional pressure on Google.

VPNs on Android 

VPNs (virtual private networks) are protected network connections that encrypt internet traffic over public networks. When connected to a VPN, all your Internet connections will use the IP address of your VPN service rather than your public IP address.

This allows users to bypass censorship and throttling, and maintain privacy and anonymity while browsing the web, as the remote hosts will never see your actual IP address.

Android offers a setting under "Network & Internet" to block network connections unless you're using a VPN. This feature is designed to prevent accidental leaks of the user's actual IP address if the VPN connection is interrupted or drops suddenly.

Unfortunately, this feature is undercut by the need to accommodate special cases like identifying captive portals (like hotel WiFi) that must be checked before the user can log in or when using split-tunnel features.

This is why Android is configured to leak some data upon connecting to a new WiFi network, regardless of whether you enabled the "Block connections without VPN" setting.

Mullvad reported the issue to Google, requesting the addition of an option to disable connectivity checks. 

"This is a feature request for adding the option to disable connectivity checks while "Block connections without VPN" (from now on lockdown) is enabled for a VPN app," explains Mullvad in a feature request on Google's Issue Tracker.

"This option should be added as the current VPN lockdown behavior is to leaks connectivity check traffic (see this issue for incorrect documentation) which is not expected and might impact user privacy."

Unfortunately, a Google engineer responded that this is intended functionality for Android and that it would not be fixed for the following reasons:

• Many VPNs actually rely on the results of these connectivity checks to function, 
• The checks are neither the only nor the riskiest exemptions from VPN connections, 
• The privacy impact is minimal, if not insignificant, because the leaked information is already available from the L2 connection.

Mullvad countered these points and highlighted the significant benefits of adding the option, even if not all issues will be addressed, and the case remains open.

Potential implications

The traffic that is leaked outside the VPN connection contains metadata that could be used to derive sensitive de-anonymization information, such as WiFi access point locations.

“The connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic,” explains Mullvad in the blog post.

“Even if the content of the message does not reveal anything more than "some Android device connected", the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as WiFi access point locations.”

While this isn't easy for unsophisticated threat actors, people who use VPNs to protect themselves from persistent attackers would still find the risk significant.

Furthermore, Mullvad explains that even if the leaks are not fixed, Google should at least update the documentation to correctly indicate that 'Connectivity Checks' would not be protected by the "Block connections without VPN" feature.

Mullvad is still debating the significance of the data leak with Google, calling them to introduce the ability to disable connectivity checks and minimize liability points.

Notably, GrapheneOS, Android-based privacy and security-focused operating system that can run on a limited number of smartphone models, provides this option with the intended functionality.