Mullvad VPN discovered that Android still leaks data traffic once the device is connected to WiFi, even when “Block connections without VPN” or “Always-on VPN” is activated.
As per Mullvad’s blog, they were conducting a security assessment for their app when they discovered that Android leaks specific data traffic, which cannot be stopped by any VPN provider.
Source IP addresses, DNS lookups, HTTPS traffic, and even NTP information are among the data leaks.
VPN for Android is quite popular right now since it protects users’ data from being accessed by Internet service providers and some hackers. VPN is also used by Android users to circumvent internet restrictions.
Mullvad already issued a warning yesterday to raise awareness and report the issue to Google as well.
The company has also stated that putting “Block connections without VPN” is misleading because it will still leak data. A detailed procedure for reproducing the problem in their blog post.
Outside the VPN connection, traffic contains metadata that might be exploited to extract critical de-anonymization information, such as WiFi access point locations.
Mullvad notes that even if the leaks are not fixed, Google should at the very least update the documentation to clearly state that “Connectivity Checks” are not covered by the “Block connections without VPN” function.
At the end of the day, VPN still serves its goal; the only issue was the Android operating system’s features and restrictions.