Android Security Audit Finds A Traffic Leak That Bypasses VPNs And Google Won't Fix It
Mullvad VPN, the Swedish VPN service that powers Mozilla VPN, is currently in the midst of a security audit of its Android app. While conducting this audit, the company discovered that Android’s VPN settings don’t block the operating system from making certain connections to Google servers outside the VPN tunnel, contrary to what Google’s documentation states. Mullvad reported this network traffic leak on the Android issue tracker, but Google has marked the issue as intended behavior it won’t fix. Nonetheless, Mullvad is still pushing to change the language in Google’s documentation to make Android users and developers aware of this network connection behavior.
The issue raised by Mullvad centers around Android’s “Block connections without VPN” setting. This setting largely does what the name implies: it blocks network traffic from passing outside the configured VPN service. This feature is essential for users who want to force all network traffic through a VPN so that no network activity can be tied back to the users’ actual IP addresses, which could be used to identify the users.
The official Android developers documentation for this setting makes it seem as though this setting, when enabled, ensures that all network traffic passes through the configured VPN: “A person using the device (or an IT admin) can force all traffic to use the VPN. The system blocks any network traffic that doesn’t use the VPN.”
The official Android developers documentation for this setting makes it seem as though this setting, when enabled, ensures that all network traffic passes through the configured VPN: “A person using the device (or an IT admin) can force all traffic to use the VPN. The system blocks any network traffic that doesn’t use the VPN.”
However, it turns out that Android does send some network traffic outside the VPN tunnel even when this setting is enabled. More specifically, every time an Android device connects to a WiFi network, the operating system performs connectivity checks that reach out to Google servers without first passing through the configured VPN. Mullvad mainly focuses on these connectivity checks in the issues the company filed on the Android issue tracker. However, Android also reaches out to Google’s Network Time Protocol (NTP) server outside the configured VPN tunnel on device startup.
Google has indicated that it will not change Android’s connectivity check behavior or add an option for users to disable these checks, as GrapheneOS does. Mullvad proposes that Google at least update the Android developer documentation for the “Blocked connections” setting to include the line “(except connectivity checks).” The addition of this parenthetical clarification could help make Android users and developers aware of the fact that this setting doesn’t actually force all network traffic through the configured VPN tunnel.
Users made aware of this fact could turn to Android Build Tools for a solution. Android users can disable connectivity checks by enabling developer options and USB debugging, then plugging their devices into a system with Build Tools installed and running the terminal command “adb shell settings put global captive_portal_mode 0.”
Google has indicated that it will not change Android’s connectivity check behavior or add an option for users to disable these checks, as GrapheneOS does. Mullvad proposes that Google at least update the Android developer documentation for the “Blocked connections” setting to include the line “(except connectivity checks).” The addition of this parenthetical clarification could help make Android users and developers aware of the fact that this setting doesn’t actually force all network traffic through the configured VPN tunnel.
Users made aware of this fact could turn to Android Build Tools for a solution. Android users can disable connectivity checks by enabling developer options and USB debugging, then plugging their devices into a system with Build Tools installed and running the terminal command “adb shell settings put global captive_portal_mode 0.”
