Android forces certain connections to Google servers outside the VPN tunnel, potentially identifying users.
Mullvad VPN, the Swedish VPN service that powers Mozilla VPN, is currently in the midst of a security audit of its Android app. While conducting this audit, the company discovered that Android’s VPN settings don’t block the operating system from making certain connections to Google servers outside the VPN tunnel, contrary to what Google’s documentation states. Mullvad reported this network traffic leak on the Android issue tracker, but Google has marked the issue as intended behavior it won’t fix. Nonetheless, Mullvad is still pushing to change the language in Google’s documentation to make Android users and developers aware of this network connection behavior.
The issue raised by Mullvad centers around Android’s “Block connections without VPN” setting. This setting largely does what the name implies: it blocks network traffic from passing outside the configured VPN service. This feature is essential for users who want to force all network traffic through a VPN so that no network activity can be tied back to the users’ actual IP addresses, which could be used to identify the users.
