Android devices leak Wi-Fi traffic even with VPN features enabled

A security audit from Mullvad VPN has revealed that Android devices leak certain traffic when connected to a Wi-Fi network, even if virtual private network (VPN) features designed to protect data sent via the public internet are enabled. The audit found that Android’s mobile OS was sending connectivity checks outside of the VPN tunnel.

The issue raises concerns about whether Android users can remain anonymous when sending encrypted data over a public network using a VPN, with the possibility that a potential attacker could monitor their traffic and even find their location.

Mullvad wrote: "It does this every time the device connects to a Wi-Fi network, even when the Block connections without VPN setting is enabled. The connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic.”

Android has said the function is working as intended and did not require a fix, with Mullvad acknowledging that it made sense for connectivity data traffic to be sent by default. However, researchers said that, as there is seemingly no way to prevent traffic from leaking, the issue posed a potential risk and added that current Android documentation about how its OS blocked connections without a VPN was misleading.

Mullvad researchers suggested that “except connectivity checks” could be added to the necessary documentation references, I.e. those claiming the feature allows users to force traffic to use a VPN, or that blocks any traffic that doesn’t use a VPN.

A Google engineer responded that the issue did not require fixing, stating four reasons for declining to integrate an option to disable connectivity checks, including that: the VPN may be relying on the results of connectivity checks and that the VPN may be a split tunnel, in which part of the traffic is let over the underlying network.

The engineer added that connectivity checks are not the only things exempted from VPN, with privileged apps also able to bypass it, which, in many cases, is necessary for their operation. Finally, the engineer stated that Google’s position was that it was unclear what specific impact the issue had on privacy.

With Google seemingly not taking action, Mullvad conceded that there was little that could be done to fix leaks, but added that GrapheneOS gave users the ability to disable connectivity checks. Researchers said that the connections could not be observed in devices using GrapheneOS.

Contact us

hSo ISO 9001 Seal
hSo ISO 14001 Seal
hSo ISO 20000 Seal
hSo ISO 27001 Seal
Cyber Essentials logo
Internet Service Providers Association logo
Internet Telephony Service Providers Association logo
LINX logo
RIPE logo
AWS Partner Network logo
Microsoft Partner logo
Crown Commercial Service supplier logo