Mullvad VPN has posted a warning on its blog to inform its community, and more specifically those using the Android client, that some connection data is being leaked during the establishment of links with WiFi access points.
This basically opposes the VPN lockdown system as Google has documented it, which should route all network traffic, including connectivity checks, through VPN tunnels when the “Block connections without VPN” is active in the settings.
Additionally, these checks risk user identity unmasking under certain conditions while the user falsely assumes that they are using a secured, encrypted connection with no risky interruptions or leaks.
As Mullvad explained in its blog post, the issue was discovered during a security audit on its app, but there’s nothing that the VPN vendor can do to remediate the situation or mitigate the problem.
Hence, Mullvad has submitted a feature request to Google, asking the mobile OS maker to consider adding a feature that passes all requests through the VPN connection with no exceptions.
The Problem
The data privacy problem discovered by Mullvad’s auditors is that no matter what VPN settings are used in Android, the mobile OS still leaks some connection data when establishing a connection with a WiFi access point.
The data that is exposed to potential snoopers includes the location of the WiFi points, the source IP address, DNS lookups, HTTPS, and NTP traffic, along with various metadata.
These aren’t directly linked to an identity but can be used to derive it and de-anonymize Mullvad users, or other VPN users, since this is a common issue for all Android VPN clients.
“The connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic.”
“Even if the content of the message does not reveal anything more than “some Android device connected”, the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as WiFi access point locations.”
– Mullvad blog
Still, the VPN vendor underlines that exploiting the privacy gap would require the sophistication of a skillful attacker or a privileged monitoring position in the network. As such, the threat isn’t widespread.
The Response
Google responded to Mullvad’s request for a data traffic system that respects “Block connections without VPN” somewhat negatively, downplaying the importance of the exemptions.
More specifically, an Android developer stated that VPNs rely on the connectivity checks that cause the leaks and argued that the disclosed information isn’t adding anything to those already snooping at L2 connections.
Mullvad responded to this by saying connectivity checks are only useful for connecting to captive portals, and not all VPN users need split tunneling all the time, so there should be a way to disable them.
Additionally, the VPN vendor stated that access to L2 data isn’t possible throughout the network, so limiting data leaks would still be beneficial for a wide range of circumstances, including stopping ISP-level tracking.
The challenges of complete privacy on mobile devices
For years, we have alerted readers to the challenges of maintaining a high level privacy on mobile devices.
In our guide on controlling communication channels, we detailed numerous factors that could expose your identity and undermine your privacy when using mobile devices, whether they be Android or iOS:
- video
- audio
- PCIe ports
- Bluetooth
- Ultra-Wideband (UWB)
- Ethernet
- WiFi
- broadband
- cellular
- GPS/GNSS
- sensors
Just a few months back, a similar concern was raised pertaining to iOS devices leaking data when connected to a VPN.
Needless to say, achieving a very high level of privacy on a mobile device remains a daunting task, and nothing has changed in that regard.
While some may see this report and conclude that using a VPN on mobile devices is futile, that would be short-sighted and foolish. Privacy is not an all-or-nothing proposition, especially in a world of mass data collection, targeted advertising, and surveillance capitalism.
Even with these leaks from Android connection checks, a VPN remains a crucial tool in a world where ISPs surveil their customers and sell the data to a giant network of third parties. A VPN will continue to encrypt your connection and effectively hide your browsing activity from these types of adversaries.
As to targeted advertising and the tracking networks that permeate most websites today, a VPN with a built-in ad blocker will also go a long way to elevating your privacy on mobile devices, regardless of the connection check situation with Android.
A little bit of privacy is a lot better than nothing.
Is this the reason why my Fire TV 4k shows the 8.8.8.8.8 DNS along with the Nordvpn DNS when I am connected via VPN? The Fire TV shows me that in the advanced network settings. Analiti- Speed Test app also shows the Google DNS. My router has Cloudfare, 1.1.1.1.1 and 1.0.0.1 as DNS defined. Thanks
Android has **always** leaked your location depending on the sophistication of the app.
I’ve rooted my Android device, I’ve used Fake GPS spoofer apps along with a VPN, and even though Google itself sees me at my spoofed location, many other apps actually see my REAL location.
When will you do a review of mullvad vpn? Thank you.
Mullvad and IVPN are arguably two most transparent VPN services available. Especially IVPN, a very good, informative and very reliable company. But there are no affiliate links, coupons and likes for marketing purposes, that’s their choice. Probably that’s why most “Best VPN” lists – including RP – skip these great services. I recommend both.
There are hundreds of VPNs on the market and we don’t have time to test them all. Based on my tests of Mullvad in the WireGuard VPN guide, we recommend it. I have never used/tested IVPN.
As for affiliates, we are affiliates with some VPNs but not all. We recommend products and services that we trust and use ourselves. Without affiliates, this site would struggle to survive because donations would not suffice to cover the time and effort involved: been there, tried that years ago.
Respect for that and that is absolutely right and fair business model.
My suggestion would be to add Comments section somewere on the homepage, starting with “the latest”. Possible with this template?
You mean a section on the homepage that highlights just the latest comments?
Yes.
Hi RP Team,
I agree with this conversation.
As a reader it is a bit tricky to follow what people are saying, or if one leaves a comment or asks a question it can be tricky to remember where one wrote it or where to look to find the answer.
For example, this conversation is posted under this article. In two weeks how will I remember where to find it? How to make it more easily keep track of what people are saying?
Regards,
BoBeX
A phone is a tracking device . It is a mobile computer that likes to ping things . I gave up even trying to make a phone secure a long time ago . I use Linux Mint as my daily driver OS , and IVPN as my VPN . They are expensive , but they are good . I have two connection at my house , one fast and one slow as a backup . My connection has dropped before on my fast connection and it didnt leak . The IVPN client just changed networks and reconnected to another server .
I have had issues with my connection dropping on Linux with Nord VPN and exposing my torrents . I got a letter some time ago .
A VPN doesn’t shield your actual location.
The way how both Google and Apple responded on this is very arrogant. They don’t want it to be fixed.
Am sure ios will also be leaking in some way, vurnerable too.
This has been complained about what seems to be forever among savy Android users that experienced their locations revealed with apps such as Wechat and others. Despite using a VPN, many apps are aware of your geolocation. In contrast, with iOS the app may not work properly should you enable your VPN.