• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
RestorePrivacy

RestorePrivacy

Resources to stay safe and secure online

  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Skiff Mail Review
    • Runbox Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • NordVPN vs Surfshark
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact
  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Skiff Mail Review
    • Runbox Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • NordVPN vs Surfshark
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact

Mullvad VPN Says Android Leaks WiFi Connection Data

October 11, 2022 By Heinrich Long — 14 Comments

Mullvad VPN has posted a warning on its blog to inform its community, and more specifically those using the Android client, that some connection data is being leaked during the establishment of links with WiFi access points.

This basically opposes the VPN lockdown system as Google has documented it, which should route all network traffic, including connectivity checks, through VPN tunnels when the “Block connections without VPN” is active in the settings.

Additionally, these checks risk user identity unmasking under certain conditions while the user falsely assumes that they are using a secured, encrypted connection with no risky interruptions or leaks.

As Mullvad explained in its blog post, the issue was discovered during a security audit on its app, but there’s nothing that the VPN vendor can do to remediate the situation or mitigate the problem.

Hence, Mullvad has submitted a feature request to Google, asking the mobile OS maker to consider adding a feature that passes all requests through the VPN connection with no exceptions.

The Problem

The data privacy problem discovered by Mullvad’s auditors is that no matter what VPN settings are used in Android, the mobile OS still leaks some connection data when establishing a connection with a WiFi access point.

The data that is exposed to potential snoopers includes the location of the WiFi points, the source IP address, DNS lookups, HTTPS, and NTP traffic, along with various metadata.

These aren’t directly linked to an identity but can be used to derive it and de-anonymize Mullvad users, or other VPN users, since this is a common issue for all Android VPN clients.

“The connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic.”

“Even if the content of the message does not reveal anything more than “some Android device connected”, the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as WiFi access point locations.”

– Mullvad blog

Still, the VPN vendor underlines that exploiting the privacy gap would require the sophistication of a skillful attacker or a privileged monitoring position in the network. As such, the threat isn’t widespread.

The Response

Google responded to Mullvad’s request for a data traffic system that respects “Block connections without VPN” somewhat negatively, downplaying the importance of the exemptions.

More specifically, an Android developer stated that VPNs rely on the connectivity checks that cause the leaks and argued that the disclosed information isn’t adding anything to those already snooping at L2 connections.

Mullvad responded to this by saying connectivity checks are only useful for connecting to captive portals, and not all VPN users need split tunneling all the time, so there should be a way to disable them.

Additionally, the VPN vendor stated that access to L2 data isn’t possible throughout the network, so limiting data leaks would still be beneficial for a wide range of circumstances, including stopping ISP-level tracking.

The challenges of complete privacy on mobile devices

For years, we have alerted readers to the challenges of maintaining a high level privacy on mobile devices.

In our guide on controlling communication channels, we detailed numerous factors that could expose your identity and undermine your privacy when using mobile devices, whether they be Android or iOS:

  • video
  • audio
  • PCIe ports
  • Bluetooth
  • Ultra-Wideband (UWB)
  • Ethernet
  • WiFi
  • broadband
  • cellular
  • GPS/GNSS
  • sensors

Just a few months back, a similar concern was raised pertaining to iOS devices leaking data when connected to a VPN.

Needless to say, achieving a very high level of privacy on a mobile device remains a daunting task, and nothing has changed in that regard.

While some may see this report and conclude that using a VPN on mobile devices is futile, that would be short-sighted and foolish. Privacy is not an all-or-nothing proposition, especially in a world of mass data collection, targeted advertising, and surveillance capitalism.

Even with these leaks from Android connection checks, a VPN remains a crucial tool in a world where ISPs surveil their customers and sell the data to a giant network of third parties. A VPN will continue to encrypt your connection and effectively hide your browsing activity from these types of adversaries.

As to targeted advertising and the tracking networks that permeate most websites today, a VPN with a built-in ad blocker will also go a long way to elevating your privacy on mobile devices, regardless of the connection check situation with Android.

A little bit of privacy is a lot better than nothing.

About Heinrich Long

Heinrich is an associate editor for RestorePrivacy and veteran expert in the digital privacy field. He was born in a small town in the Midwest (USA) before setting sail for offshore destinations. Although he long chafed at the global loss of online privacy, after Edward Snowden’s revelations in 2013, Heinrich realized it was time to join the good fight for digital privacy rights. Heinrich enjoys traveling the world, while also keeping his location and digital tracks covered.

Reader Interactions

Comments

  1. Pepe

    October 21, 2022

    Is this the reason why my Fire TV 4k shows the 8.8.8.8.8 DNS along with the Nordvpn DNS when I am connected via VPN? The Fire TV shows me that in the advanced network settings. Analiti- Speed Test app also shows the Google DNS. My router has Cloudfare, 1.1.1.1.1 and 1.0.0.1 as DNS defined. Thanks

    Reply
  2. Jon Frakes

    October 16, 2022

    Android has **always** leaked your location depending on the sophistication of the app.

    I’ve rooted my Android device, I’ve used Fake GPS spoofer apps along with a VPN, and even though Google itself sees me at my spoofed location, many other apps actually see my REAL location.

    Reply
  3. emi

    October 12, 2022

    When will you do a review of mullvad vpn? Thank you.

    Reply
    • Bronco

      October 12, 2022

      Mullvad and IVPN are arguably two most transparent VPN services available. Especially IVPN, a very good, informative and very reliable company. But there are no affiliate links, coupons and likes for marketing purposes, that’s their choice. Probably that’s why most “Best VPN” lists – including RP – skip these great services. I recommend both.

      Reply
      • Sven Taylor

        October 13, 2022

        There are hundreds of VPNs on the market and we don’t have time to test them all. Based on my tests of Mullvad in the WireGuard VPN guide, we recommend it. I have never used/tested IVPN.

        As for affiliates, we are affiliates with some VPNs but not all. We recommend products and services that we trust and use ourselves. Without affiliates, this site would struggle to survive because donations would not suffice to cover the time and effort involved: been there, tried that years ago.

        Reply
        • Bronco

          October 14, 2022

          Respect for that and that is absolutely right and fair business model.

          My suggestion would be to add Comments section somewere on the homepage, starting with “the latest”. Possible with this template?

        • Sven Taylor

          October 14, 2022

          You mean a section on the homepage that highlights just the latest comments?

        • Bronco

          October 15, 2022

          Yes.

        • BoBeX

          October 20, 2022

          Hi RP Team,

          I agree with this conversation.
          As a reader it is a bit tricky to follow what people are saying, or if one leaves a comment or asks a question it can be tricky to remember where one wrote it or where to look to find the answer.

          For example, this conversation is posted under this article. In two weeks how will I remember where to find it? How to make it more easily keep track of what people are saying?

          Regards,

          BoBeX

  4. Kinda Anon

    October 12, 2022

    A phone is a tracking device . It is a mobile computer that likes to ping things . I gave up even trying to make a phone secure a long time ago . I use Linux Mint as my daily driver OS , and IVPN as my VPN . They are expensive , but they are good . I have two connection at my house , one fast and one slow as a backup . My connection has dropped before on my fast connection and it didnt leak . The IVPN client just changed networks and reconnected to another server .

    I have had issues with my connection dropping on Linux with Nord VPN and exposing my torrents . I got a letter some time ago .

    Reply
  5. Jordie LeForge

    October 11, 2022

    A VPN doesn’t shield your actual location.

    Reply
  6. Bronco

    October 11, 2022

    The way how both Google and Apple responded on this is very arrogant. They don’t want it to be fixed.

    Reply
  7. Will Wheaton

    October 11, 2022

    Am sure ios will also be leaking in some way, vurnerable too.

    Reply
    • Ed S

      October 11, 2022

      This has been complained about what seems to be forever among savy Android users that experienced their locations revealed with apps such as Wechat and others. Despite using a VPN, many apps are aware of your geolocation. In contrast, with iOS the app may not work properly should you enable your VPN.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Sidebar

Digital Privacy Essentials:
Secure Browser
Private Search Engines
Secure Email
Best Password Managers
Secure Messaging Services
Best Ad Blockers
Best VPN Services
Secure Cloud Storage

Privacy & Security Guides:
Privacy Tools
Alternatives to Google Products
Firefox Privacy Modifications
Five Eyes, 9 Eyes, 14 Eyes Spying
Browser Fingerprinting
Is Tor Safe?
Alternatives to Gmail
VPN vs Tor
Alternatives to WhatsApp
Is Your Antivirus Spying on You?
Controlling Communication Channels is Crucial for Privacy
Anonymity Networks: VPNs, Tor, and I2P
How to Really Be Anonymous Online
Private and Anonymous Payments

Secure Email Reviews:
ProtonMail Review
Tutanota Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
Temporary Email Services
Encrypted Email

Password Manager Reviews:
Bitwarden Review
LastPass Review
KeePass Review
NordPass Review
Dashlane Review
1Password Review
Best Password Managers

Secure Messaging App Reviews:
Wire Review
Signal Review
Threema Review
Telegram Review
Session Review
Wickr Review

Secure Cloud Storage Reviews
Tresorit Review
MEGA Cloud Review
Sync.com Review
Nextcloud Review
IDrive Review
pCloud Review
SpiderOak Review
NordLocker Review

How To Guides
How to Encrypt Files on Windows
How to Encrypt Email
How to Configure Windows 10 for Privacy
How to use Two-Factor Authentication (2FA)
How to Secure Your Android Device for Privacy
How to Secure Your Home Network
How to Protect Yourself Against Identity Theft
How to Unblock Websites
How to Fix WebRTC Leaks
How to Test Your VPN
How to Hide Your IP Address
How to Create Strong Passwords
How to Really Be Anonymous Online

About RestorePrivacy

Contact

Restore Privacy Checklist

  1. Secure browser: Modified Firefox or Brave
  2. VPN: NordVPN [63% Off Coupon] or Surfshark
  3. Ad blocker: uBlock Origin or AdGuard
  4. Secure email: Mailfence or Tutanota
  5. Secure Messenger: Signal or Threema
  6. Private search engine: MetaGer or Brave
  7. Password manager: NordPass or Bitwarden

About

RestorePrivacy is a digital privacy advocacy group committed to helping people stay safe and secure online. You can support this project through donations, purchasing items through our links (we may earn a commission at no extra cost to you), and sharing this information with others. See our mission here.

We’re available for Press and media inquiries here.

RestorePrivacy is also on Twitter

COPYRIGHT © 2023 RESTORE PRIVACY, LLC · PRIVACY POLICY · TERMS OF USE · CONTACT · SITEMAP