Mullvad: Android Leaks Traffic When Using a VPN Unless Users Run GrapheneOS
Android leaks certain traffic which VPN services cannot prevent.
An ongoing security audit of our app identified that Android leaks certain traffic, which VPN services cannot prevent. The audit report will go public soon. This post aims to dive into the finding, called MUL22-03.
We researched the reported leak, and concluded that Android sends connectivity checks outside the VPN tunnel. It does this every time the device connects to a WiFi network, even when the Block connections without VPN setting is enabled.
The privacy and security focused Android based distribution GrapheneOS provides users with the option to disable connectivity checks. If that option is enabled, the above leaks could not be observed by us.