There is a setting that comes built-in with Android devices called “Always-on VPN,” which is supposed to restrict any connections to the device without an active VPN connection. This is one of the features privacy-conscious users rely on to stay under the radar while using their smartphones and tablets.
Alas, it may not work as advertised, according to the Swedish VPN provider Mullvad. They claim that the Always-on VPN feature is not entirely working and has a noticeable flaw. The problem is that Android occasionally sends a “connectivity check” to find nearby servers supplying a connection. These connectivity checks transmit such device data as your IP address, HTTPS traffic, and DNS lookups. None of this is encrypted as it doesn’t go through the VPN tunnel, allowing savvy hackers to intercept a connectivity check to get hold of this information — even with Always-on VPN enabled.
Mullvad did what every responsible developer should do and notified Google about this, suggesting they should either change the description of this feature or fix the flaw within Android.
Google, however, downplayed the issue. “We have looked into the feature request you have reported and would like to inform you that this is working as intended,” a Google engineer said. “We do not think such an option would be understandable by most users, so we don’t think there is a strong case for offering this.”
It is important to add that any de-anonymization effort would require a really sophisticated actor, meaning this isn’t a major flaw. On the other hand, hackers are known to be very tech-savvy and some of them may be able to pull this off.
So even if you’re using the best VPN app out there, small bits of unencrypted data will leave your Android device(s) — potentially allowing hackers to get your real IP address and a few other details.
Chances are most users are safe, but we would still love to know that “Always-on VPN” stands for something. Not sure why Google just doesn’t release an update to fix this. They already know a ton about all of us, and I don’t think they need another controversy on their belt. Or I’m missing something? What do you think?