‘Always-on VPN’ feature on Android can leak unencrypted data

Virtual private networks (VPN) have long been a vital application for millions of people every day, allowing them and their data to stay secure from potential cyber threats or attacks. Unfortunately, a popular Swedish VPN provider revealed that Android users might not be as protected as we thought.

Within Android’s settings, users can select “Always-on VPN,” which is supposed to restrict any connections to the device without a VPN active. This feature is helpful for Android consumers who prioritize their privacy, especially those storing or transferring sensitive data with their devices.

A VPN creates a virtual “tunnel” between two points on the internet through which encrypted data can travel privately without getting intercepted. An analogy would be rolling a ping pong ball across a tabletop to another person. Any third party could grab the ball, do what they want with it, then send it to its original destination. However, if you roll the ball through a tube, it would be much harder to intercept. Data travels through VPNs similarly, so it is hard to grab the information. Since the data packet is encrypted, the source and destination are also hidden.

Unfortunately, a Swedish VPN provider named Mullvad reports that Always-on VPN is not entirely working as intended and has a noticeable flaw. The problem is that Android occasionally sends a “connectivity check” to find nearby servers supplying a connection. Connectivity checks contain vital device data, such as IP addresses, HTTPS traffic, and DNS lookups. None of this is encrypted because it doesn’t go through the VPN tunnel, meaning anyone intercepting a connectivity check could see bits of info regarding the device, even with Always-on VPN enabled.

Mullvad called on Google to either change the description of this feature or fix the flaw within Android. According to VPNoverview, Google was quick to respond to Mullvad’s concerns.

“We have looked into the feature request you have reported and would like to inform you that this is working as intended,” a Google engineer said. “We do not think such an option would be understandable by most users, so we don’t think there is a strong case for offering this.”

The response is somewhat concerning, as the company confirms it has zero plans of fixing this flaw. While Mullvad believes this is a notable concern, it does not think most users should view it as a significant risk.

“[Any] de-anonymization attempt would require a quite sophisticated actor,” the VPN specialist said.

There is currently no way for VPN providers to update their apps to work around this flaw, as it is built into the Android operating system and cannot be disabled. Additionally, Google having no intention of changing the Always-on VPN option means this will likely not change. Therefore, more cautious users can either live with the issue or potentially find a better way to secure their data.