Mullvad VPN, the Swedish VPN service that powers Mozilla VPN, is at present within the midst of a safety audit of its Android app. Whereas conducting this audit, the corporate found that Android’s VPN settings don’t block the working system from guaranteeing connections to Google servers exterior the VPN tunnel, opposite to what Google’s documentation states. Mullvad reported this community visitors leak on the Android difficulty tracker, however Google has marked the problem as supposed habits it gained’t repair. Nonetheless, Mullvad remains to be pushing to vary the language in Google’s documentation to make Android customers and builders conscious of this community connection habits.
Android VPN settings
The problem raised by Mullvad facilities round Android’s “Block connections with out VPN” setting. This setting largely does what the title implies: it blocks community visitors from passing exterior the configured VPN service. This characteristic is important for customers who need to pressure all community visitors by way of a VPN in order that no community exercise could be tied again to the customers’ precise IP addresses, which might be used to establish the customers.
The official Android builders documentation for this setting makes it appear as if this setting, when enabled, ensures that all community visitors passes by way of the configured VPN: “An individual utilizing the system (or an IT admin) can pressure all visitors to make use of the VPN. The system blocks any community visitors that doesn’t use the VPN.”
An incoming Google connection reaching an Android system exterior a VPN tunnel (click on to enlarge) (supply: Mysk)
Nevertheless, it seems that Android does ship some community visitors exterior the VPN tunnel even when this setting is enabled. Extra particularly, each time an Android system connects to a WiFi community, the working system performs connectivity checks that attain out to Google servers with out first passing by way of the configured VPN. Mullvad primarily focuses on these connectivity checks within the points the corporate filed on the Android difficulty tracker. Nevertheless, Android additionally reaches out to Google’s Community Time Protocol (NTP) server exterior the configured VPN tunnel on system startup.
Google has indicated that it’s going to not change Android’s connectivity verify habits or add an choice for customers to disable these checks, as GrapheneOS does. Mullvad proposes that Google no less than replace the Android developer documentation for the “Blocked connections” setting to incorporate the road “(besides connectivity checks).” The addition of this parenthetical clarification might assist make Android customers and builders conscious of the truth that this setting doesn’t truly pressure all community visitors by way of the configured VPN tunnel.
Customers made conscious of this reality might flip to Android Construct Instruments for an answer. Android customers can disable connectivity checks by enabling developer choices and USB debugging, then plugging their units right into a system with Construct Instruments put in and working the terminal command “adb shell settings put world captive_portal_mode 0.”
