Even set to VPN-only connection, Android phones allow user identification

According to VPN service provider Mullvad VPN, Android phones transmit data that can identify users simply by entering the range of a WiFi network. The problem manifests itself even if users tick the “Block connections without VPN” or “Always-on VPN” setting.

Effectively nullifying the anonymity promised by VPN services, the Android platform also unknowingly initiates connections that bypass the secure VPN connection, revealing details such as IP address, DNS queries, HTTPS traffic, and perhaps NTP.

The vulnerability, which appears to be more of an assumed feature by Google engineers from the design stage of the Android platform, may be especially problematic for users who rely on VPN service protection in potentially insecure locations, such as hotels in countries with less-than-pristine reputations for free speech.

The problem is that Google has in no way documented this “peculiarity” of the “VPN Lockdown” features, leaving open the options for exploiting them clandestinely.

VPNs (virtual private networks) are protected network connections that encrypt internet traffic over public networks. When you are connected to a VPN, all your Internet connections will use the IP address of the VPN service, rather than the public IP address. This allows users to bypass the censorship and blocking of certain online services, surfing the internet in complete privacy and anonymity. Theoretically. Practically speaking, your anonymity can be compromised as soon as your phone has come under the WiFi coverage of the hotel you’re staying in, with the protection of the extra traffic made by the VPN connection offering little consolation if the authorities come knocking on your door in the middle of the night to ask for your mobile phone.

Android provides a setting under “Network & Internet” that allows you to block network connections unless you’re using a VPN. This feature is designed to prevent accidental data leakage if the VPN connection is accidentally interrupted. Unfortunately, this feature is compromised by “special cases” provided by Google, such as detecting Wi-Fi networks within range.

Mullvad has reported the issue to Google, requesting the addition of an option to disable checks for WiFi connectivity. In response, a Google engineer stated that this is a core functionality of the Android platform that cannot be changed without compromising basic internet access issues.