'Always-on VPN' feature on Android can leak unencrypted data

AlphaX

Posts: 67   +16
Staff
Why it matters: Virtual private networks (VPN) have long been a vital application for millions of people every day, allowing them and their data to stay secure from potential cyber threats or attacks. Unfortunately, a popular Swedish VPN provider revealed that Android users might not be as protected as we thought.

Within Android's settings, users can select "Always-on VPN," which is supposed to restrict any connections to the device without a VPN active. This feature is helpful for Android consumers who prioritize their privacy, especially those storing or transferring sensitive data with their devices.

A VPN creates a virtual "tunnel" between two points on the internet through which encrypted data can travel privately without getting intercepted. An analogy would be rolling a ping pong ball across a tabletop to another person. Any third party could grab the ball, do what they want with it, then send it to its original destination. However, if you roll the ball through a tube, it would be much harder to intercept. Data travels through VPNs similarly, so it is hard to grab the information. Since the data packet is encrypted, the source and destination are also hidden.

Unfortunately, a Swedish VPN provider named Mullvad reports that Always-on VPN is not entirely working as intended and has a noticeable flaw. The problem is that Android occasionally sends a "connectivity check" to find nearby servers supplying a connection. Connectivity checks contain vital device data, such as IP addresses, HTTPS traffic, and DNS lookups. None of this is encrypted because it doesn't go through the VPN tunnel, meaning anyone intercepting a connectivity check could see bits of info regarding the device, even with Always-on VPN enabled.

Mullvad called on Google to either change the description of this feature or fix the flaw within Android. According to VPNoverview, Google was quick to respond to Mullvad's concerns.

"We have looked into the feature request you have reported and would like to inform you that this is working as intended," a Google engineer said. "We do not think such an option would be understandable by most users, so we don't think there is a strong case for offering this."

The response is somewhat concerning, as the company confirms it has zero plans of fixing this flaw. While Mullvad believes this is a notable concern, it does not think most users should view it as a significant risk.

"[Any] de-anonymization attempt would require a quite sophisticated actor," the VPN specialist said.

There is currently no way for VPN providers to update their apps to work around this flaw, as it is built into the Android operating system and cannot be disabled. Additionally, Google having no intention of changing the Always-on VPN option means this will likely not change. Therefore, more cautious users can either live with the issue or potentially find a better way to secure their data.

Permalink to story.

 

ZedRM

Posts: 1,403   +976
"We have looked into the feature request you have reported and would like to inform you that this is working as intended," a Google engineer said. "We do not think such an option would be understandable by most users, so we don't think there is a strong case for offering this."
@ Google
This is a BS flacid answer and you all know it. Get your act together and fix this problem the PROPER way and quit making cop-outs and excuses.
 

Vanderlinde

Posts: 204   +129
VPN on all your devices is the new netflix in regards of subscriptions.

If you pay for a VPN, the chances are great they do hold your administrative details. And due to several laws, VPN providers somehow forced to log any data with the EU or US, are you really private?

If you want a secure connection to the internet, just disconnect. Seriously. They have huge DC's to pretty much crack all the available web encryptions right now. If your a target they can and will get you.
 

Watzupken

Posts: 755   +636
I think it is very clear that if you decide to be connected to the "world wide web", there is no way you can mask or hide yourself entirely. I believe its been mentioned fairly recently about limitations with iOS as well when it comes to the use of VPN. That's why I am seeing less and less benefit to these VPNs. People are paying for the service and getting a false sense of security because while the service may work, but its clear their devices are not going to the service to work as intended. If you are using it to overcome limitations as a result of gaining access to services that are not available in your country, I feel that's becoming the predominant use case for VPN for most people.
 

Badvok

Posts: 352   +181
As this story clearly demonstrates, Google are correct that it is beyond the comprehension of most users. If even Mullvad, a VPN provider, and Matt Frusher can't understand it what hope is there for the rest of us? Perhaps Mullvad and Matt need to learn a little about how a VPN works before trying to pick fault in the software of others.
 

rrwards

Posts: 258   +490
VPN on all your devices is the new netflix in regards of subscriptions.

If you pay for a VPN, the chances are great they do hold your administrative details. And due to several laws, VPN providers somehow forced to log any data with the EU or US, are you really private?

If you want a secure connection to the internet, just disconnect. Seriously. They have huge DC's to pretty much crack all the available web encryptions right now. If your a target they can and will get you.

This is likely the case except for maybe the company reporting this (Mullvad) since they don't save any of your PI. You buy a subscription and get an account number only. No username, password, account info at all, just a long string of numbers.