Potential Vulnerability in Android 16 Raises Privacy Concerns
This week, reports emerged indicating that Android 16 may harbor a vulnerability that allows applications to bypass VPN protections, potentially exposing users’ IP addresses regardless of their privacy settings. A Zurich-based security engineer brought this issue to light on the platform lowlevel.fun, detailing the steps taken to report the bug through Google’s Vulnerability Reward Program, which incentivizes researchers for identifying security flaws in Android applications. The findings were subsequently shared by VPN provider Mullvad on their blog.
According to the engineer, logs were provided demonstrating that Android’s security team ultimately closed the report, deeming it “infeasible” to address and not a high priority. A request for further comment from the engineer went unanswered.
A representative from Google addressed the situation in an email to CNET, stating, “This issue only affects devices that have downloaded a malicious app.” They emphasized that Google Play Protect is designed to shield users from known threats, although it may not yet recognize newly emerging vulnerabilities.
The crux of the issue lies within the ConnectivityManager system service in Android 16, which allows applications to notify web servers when an online connection has ended. Unfortunately, this service currently circumvents the VPN tunnel, resulting in unencrypted traffic and the potential exposure of sensitive information, including the device’s actual IP address, irrespective of the chosen server location. Notably, the type of VPN in use, along with its permissions or encryption settings, becomes irrelevant in this scenario.
Alarmingly, the vulnerability persists even when users have enabled “Always-on VPN” or “Block connections without VPN,” features intended to ensure that no online activity occurs without a VPN connection. This flaw could lead to a false sense of security, particularly concerning for individuals with critical privacy needs.
While there is no confirmed evidence that this vulnerability has been exploited to harvest device data, the unresolved status of the bug poses ongoing risks for Android 16 users. In contrast, GrapheneOS, an Android-based operating system, has successfully patched the issue, suggesting that a fix is indeed possible. For those concerned about the implications of this vulnerability, Mullvad recommends considering a switch to GrapheneOS.
For Android users seeking immediate alternatives, the security engineer who uncovered the issue has identified a debug command that may be executed on devices with USB debugging enabled. Users can download the Android Debug Bridge if necessary. However, the blog post cautions that this workaround should only be attempted by those who fully understand the ramifications of disabling features in USB debugging mode. Further guidance on implementing this command is available, but users should be aware that future Android updates may reverse this fix, making it a temporary solution at best.
