“The connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic.” These aren’t directly linked to an identity but can be used to derive it and de-anonymize Mullvad users, or other VPN users, since this is a common issue for all Android VPN clients. The data that is exposed to potential snoopers includes the location of the WiFi points, the source IP address, DNS lookups, HTTPS, and NTP traffic, along with various metadata.
The data privacy problem discovered by Mullvad’s auditors is that no matter what VPN settings are used in Android, the mobile OS still leaks some connection data when establishing a connection with a WiFi access point. Hence, Mullvad has submitted a feature request to Google, asking the mobile OS maker to consider adding a feature that passes all requests through the VPN connection with no exceptions. This basically opposes the VPN lockdown system as Google has documented it, which should route all network traffic, including connectivity checks, through VPN tunnels when the “Block connections without VPN” is active in the settings.Īdditionally, these checks risk user identity unmasking under certain conditions while the user falsely assumes that they are using a secured, encrypted connection with no risky interruptions or leaks.Īs Mullvad explained in its blog post, the issue was discovered during a security audit on its app, but there’s nothing that the VPN vendor can do to remediate the situation or mitigate the problem. Mullvad VPN has posted a warning on its blog to inform its community, and more specifically those using the Android client, that some connection data is being leaked during the establishment of links with WiFi access points.
0 kommentar(er)
