Mullvad VPN has posted a warning on its blog to inform its community, and more specifically those using the Android client, that some connection data is being leaked during the establishment of links with WiFi access points.
This basically opposes the VPN lockdown system as Google has documented it, which should route all network traffic, including connectivity checks, through VPN tunnels when the “Block connections without VPN” is active in the settings.
Additionally, these checks risk user identity unmasking under certain conditions while the user falsely assumes that they are using a secured, encrypted connection with no risky interruptions or leaks.
As Mullvad explained in its blog post, the issue was discovered during a security audit on its app, but there’s nothing that the VPN vendor can do to remediate the situation or mitigate the problem.
Hence, Mullvad has submitted a feature request to Google, asking the mobile OS maker to consider adding a feature that passes all requests through the VPN connection with no exceptions.
The data privacy problem discovered by Mullvad’s auditors is that no matter what VPN settings are used in Android, the mobile OS still leaks some connection data when establishing a connection with a WiFi access point.
The data that is exposed to potential snoopers includes the location of the WiFi points, the source IP address, DNS lookups, HTTPS, and NTP traffic, along with various metadata.
These aren’t directly linked to an identity but can be used to derive it and de-anonymize Mullvad users, or other VPN users, since this is a common issue for all Android VPN clients.
“The connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic.”
“Even if the content of the message does not reveal anything more than “some Android device connected”, the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as WiFi access point locations.”– Mullvad blog
Still, the VPN vendor underlines that exploiting the privacy gap would require the sophistication of a skillful attacker or a privileged monitoring position in the network. As such, the threat isn’t widespread.
Google responded to Mullvad’s request for a data traffic system that respects “Block connections without VPN” somewhat negatively, downplaying the importance of the exemptions.
More specifically, an Android developer stated that VPNs rely on the connectivity checks that cause the leaks and argued that the disclosed information isn’t adding anything to those already snooping at L2 connections.
Mullvad responded to this by saying connectivity checks are only useful for connecting to captive portals, and not all VPN users need split tunneling all the time, so there should be a way to disable them.
Additionally, the VPN vendor stated that access to L2 data isn’t possible throughout the network, so limiting data leaks would still be beneficial for a wide range of circumstances, including stopping ISP-level tracking.
The challenges of complete privacy on mobile devices
For years, we have alerted readers to the challenges of maintaining a high level privacy on mobile devices.
In our guide on controlling communication channels, we detailed numerous factors that could expose your identity and undermine your privacy when using mobile devices, whether they be Android or iOS:
- PCIe ports
- Ultra-Wideband (UWB)
Just a few months back, a similar concern was raised pertaining to iOS devices leaking data when connected to a VPN.
Needless to say, achieving a very high level of privacy on a mobile device remains a daunting task, and nothing has changed in that regard.
While some may see this report and conclude that using a VPN on mobile devices is futile, that would be short-sighted and foolish. Privacy is not an all-or-nothing proposition, especially in a world of mass data collection, targeted advertising, and surveillance capitalism.
Even with these leaks from Android connection checks, a VPN remains a crucial tool in a world where ISPs surveil their customers and sell the data to a giant network of third parties. A VPN will continue to encrypt your connection and effectively hide your browsing activity from these types of adversaries.
As to targeted advertising and the tracking networks that permeate most websites today, a VPN with a built-in ad blocker will also go a long way to elevating your privacy on mobile devices, regardless of the connection check situation with Android.
A little bit of privacy is a lot better than nothing.