Secure and private VPN provider Mullvad discovered that Android devices may leak information when connected to VPN services, which can’t be prevented.
According to Mullvad’s information, Android uses connectivity checks outside of the VPN tunnel when devices connect to wireless networks. What makes this even worse is that this happens even if the security feature Block connections without VPN is enabled on the device.
The data connections that happen outside of the boundaries of the VPN connection are done by purpose. Mullvad gives the example of captive portals on networks, which require that users authenticate before connectivity becomes available. Most Android users may want these checks, Mullvad notes.
The leaking of information raises privacy concerns for some. Users may believe that their connection is protected against leaks when they use VPNs on Android. The entity that controls the connectivity check server and any entity that is monitoring networking traffic may obtain the data. The metadata includes the source IP address and may be used to “derive further information”, according to Mullvad; this would require a “sophisticated actor” according to the company.
Android does not include user facing options to disable traffic that is happening outside the VPN tunnel. Mullvad published a guide on disabling connectivity checks on Android. It requires development tools and is technical in nature.
The company reported the issue to Google, which responded with a “won’t fix” status for the issue, stating that it is intended behavior.
“We have looked into the feature request you have reported and would like to inform you that this is working as intended. We do not think such an option would be understandable by most users, so we don’t think there is a strong case for offering this.”
Google’s main arguments are that other traffic is also exempt from this, that some VPN’s might use the connectivity information, and that little data is revealed during these checks. Mullvad argues that the leaking of data matters to some users, and that these users should get an option to block any leaky traffic if they want to.
Android users who need full protections against leaks have only one option: to modify the device using Mullvad’s guide to block these connections from happening.
Now You: do you use VPN connections on your mobile devices?
“Won’t fix” =) We are very angry with you for discovering this and disclosing it to the public, we’re gonna sue your ass into oblivion – Google.
So yeah, there go the last tiny particles of privacy credibility on Android. Or is this only on stock Android, meaning: can/do custom ROM developers remove this “feature”?
Yes, custom ROMs can disable this. Mullvad note in their article that GrapheneOS allows users to disable these checks.
I believe GrapheneOS is the only custom ROM that allows you to change or disable connectivity checks.
From the following website: https://grapheneos.org/faq
“You can change the connectivity check URLs via the Settings ? Network & Internet ? Internet connectivity check setting. At the moment, it can be toggled between the GrapheneOS servers (default), the standard Google servers used by billions of other Android devices or disabled.
By default, the GrapheneOS connectivity check servers are used via the following URLs:
HTTPS: https://connectivitycheck.grapheneos.network/generate_204
HTTP: http://connectivitycheck.grapheneos.network/generate_204
HTTP fallback: http://grapheneos.online/gen_204
HTTP other fallback: http://grapheneos.online/generate_204
Changing this to the Standard (Google) mode will use the same URLs used by AOSP and the stock OS along with the vast majority of other devices, blending in with billions of other Android devices both with and without Play services:
HTTPS: https://www.google.com/generate_204
HTTP: http://connectivitycheck.gstatic.com/generate_204
HTTP fallback: http://www.google.com/gen_204
HTTP other fallback: http://play.googleapis.com/generate_204
GrapheneOS also adds the ability to fully disable the connectivity checks. This results in the OS no longer handling captive portals itself, not falling back to other networks when some don’t have internet access and not being able to delay scheduled jobs depending on internet access until it becomes available.”
Shame GrapheneOS is for Pixel phones only, can’t even buy those in Scandinavia. I have never met a person who has owned a Pixel phone at any point in time, come to think of it I have not ever met a person that has even seen a Pixel phone in real life. That’s how great they are.
Oh good!
Guys at Mullvad do realized that each android phone is equipped with Qualcomm modem that is basically a full computer, with it’s own CPU, RAM and OS?
It is a separate entity that connects, diagnose traffic and do many things that are not controlled by the phone OS or it’s SoC. When you disable WiFi (or Bluetooth) you are just telling the OS not connect to Qualcomm modem, but the modem itself is always alive (same concept with Always-On-VPN. Traffic of the Qualcomm modem is not part of the phone OS, aka not part of the VPN).
On PC side, its equivalent of modern router that has it’s own internet traffic (firmware, diagnosis, security checks, etc).
Also your custom Android ROM rules doesn’t apply to the modem.
Are people really this gullible?
Cell phones are purposely designed and built to gather and send home as much data as they can about [B][U] everything [/U][/B] within their signal range.
Calling a function a leak is just irresponsible clickbait.
I don’t think this works against the Netguard app. I’ve noticed that while using Netguard, the captive portals for public WiFi networks were not available.
Also I don’t think that entering 3 abp shell commands is actually all that difficult. Most regular users could figure out how to change the config by following steps on a video. I’m sure that some of the privacy oriented youtubers like Mental Outlaw and SwitchedToLinux will put up how-to videos soon.
Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.
