Google Android 16 bug leaks info from all VPN apps.
SOPA Images/LightRocket via Getty Images
A security researcher has published a technical paper detailing how Android 16 has introduced a bug that essentially bypasses VPN protections, affecting all VPN apps. Whether you have enabled the “Always-On VPN” or “Block connections without VPN” settings is immaterial; Android 16 can still leak traffic outside of the VPN protected tunnel. This means that your real IP address is visible on the internet, with all the potential for tracking and surveillance issues that come with it. But here’s the kicker: the researcher reported the bug through the Android Vulnerability Reward Program only for Google to close the issue and mark it as “Won’t Fix” for falling outside of the threat model. I approached Google for a statement on Wednesday, May 13, but at the time of publication, none was forthcoming.
The Android 16 VPN Vulnerability Explained
My attention was drawn to the issue when Yusef, a security researcher based in Zurich who goes by the X handle of @cybaqkebm, posted a simple statement: “Turns out ‘Always-On VPN’ and ‘Block connections without VPN’ features on Android aren’t that reliable.” The link in the tweet led me to a highly technical report detailing an Android 16 VPN bypass. The gist of it is that the two settings mentioned, meant to be a hard guarantee that no information will leave your device outside of the established VPN tunnel, are nothing of the sort.
Given that Google has previously warned about the dangers of malicious VPNs and advised users to “only download VPN apps from official sources, and check for apps with the VPN badge in Google Play,” you might think that this would be something that it would take very seriously indeed. Yet, Yusef has confirmed, after reporting the vulnerability through the Android VRP, “apparently, it is not in their threat model.” Indeed, the issue was closed as Won’t Fix (infeasible) and, according to a Mullvad VPN alert, the app vendor has also now reported the issue on the Android issue tracker. This is an important point, as Mullvad noted the vulnerability “affects all VPN apps” on the Android 16 platform.
The TL;DR technical overview is, Yusef said:
A Binder method on ConnectivityManager, registerQuicConnectionClosePayload, accepts an arbitrary byte buffer and a UDP socket from any caller with INTERNET and ACCESS_NETWORK_STATE (both auto-granted). When the registered socket dies, system_server sends the buffer on the socket’s original network. No permission check, no payload validation, no awareness of the VPN-lockdown state of the calling UID. With one slightly cute trick to slip past the fwmark server, an attacker app can use that primitive to leak the user’s real IP past an active VPN.
While I wait for Google to respond to my request for a statement and advice for Android 16 VPN app users, the only current mitigation would appear to involve manually amending a DeviceConfig setting. Something, dear reader, that I would not recommend most users attempt. As Yusef warned, “Use it only if you understand the implications and on your own risk.” Actually, there is another mitigation: switch to Graphene OS, as it has already resolved the issue. Again, not something most users will want to do. So, in the meantime, it’s over to Google to see whether the “won’t fix” Android vulnerability response will be amended. If not, it won’t be the first Google security Gaffe, but let’s hope that media and app vendor pressure can come to bear in this case.
