Android 16 bug allows apps to ignore VPNs and leak IP addresses

At a glance:

• Android 16 has a critical vulnerability that permits apps to bypass VPN tunnels and expose real IP addresses.
• Google's security team dismissed the issue as "infeasible" to fix and low priority, despite potential privacy risks.
• GrapheneOS, an Android variant, has already patched the flaw, and a USB debugging workaround exists.

Discovery of the Android 16 VPN Bypass Flaw

A security engineer based in Zurich has uncovered a significant vulnerability in Android 16 that allows malicious applications to ignore VPN settings and transmit users' IP address information unencrypted. The engineer documented the finding on the blog lowlevel.fun and reported it through Google's Vulnerability Reward Program, which incentivizes security researchers to identify bugs in Android. Mullvad, a prominent VPN provider, subsequently reposted the findings on its official blog, amplifying awareness of the issue. This early reporting highlights a growing concern within the privacy community about the robustness of Android's security measures.

Google's Response and Security Team Decision

Upon receiving the report, Android's security team evaluated the vulnerability and ultimately closed it, informing the engineer that the fix was deemed "infeasible" and that the issue did not meet the threshold for high-priority action. This decision has sparked criticism from privacy advocates, as it suggests a reluctance to address a flaw that could undermine user trust in VPN protections. A Google representative clarified to CNET that the vulnerability "only affects devices that have downloaded a malicious app," emphasizing that Google Play Protect offers automatic defense against known malicious software. However, the representative acknowledged that emerging threats might evade automated detection, leaving a window of exposure for users.

Technical Mechanism of the ConnectivityManager Flaw

The vulnerability resides in the ConnectivityManager system service, a core component of Android 16 responsible for managing network connections. Specifically, this service can send a final message to web servers indicating that an online connection has ended, but it currently bypasses the VPN tunnel entirely. As a result, traffic transmitted through this channel remains unencrypted and directly exposes the device's real IP address, irrespective of the VPN server location selected by the user. Crucially, the type of VPN—whether it uses specific permissions or encryption settings—is irrelevant, as the flaw circumvents all such protections. Even with "Always-on VPN" or "Block connections without VPN" enabled, which are designed to enforce VPN usage for all online activity, the issue persists, potentially giving users a false sense of security. This is particularly alarming for individuals with high privacy requirements, such as journalists, activists, or those in repressive regimes.

Implications for User Privacy and Security

The unresolved nature of this bug means that Android 16 users remain vulnerable to IP leaks if they install a malicious application exploiting this flaw. While there is no evidence yet of such exploitation occurring, Google's decision not to patch the vulnerability effectively leaves the door open for future attacks. The fact that GrapheneOS, an Android-based operating system focused on privacy, has already implemented a fix—as reported by Mullvad—demonstrates that a solution is technically feasible. Mullvad has gone so far as to recommend that concerned users switch to GrapheneOS to mitigate the risk. For the average Android user, however, this may not be a practical option due to device compatibility or usability concerns, underscoring the need for Google to address the issue directly.

Available Workarounds and Their Limitations

For users seeking immediate relief, the security engineer who discovered the flaw also identified a debug command that can be executed on Android devices when USB debugging is enabled. This requires the Android Debug Bridge (ADB) tool, which can be downloaded for manual intervention. However, the blog post cautions that this workaround should only be attempted by those who understand the implications of modifying system settings via USB debugging, as improper use could lead to other issues. Moreover, subsequent Android updates may undo this fix, making it an unreliable long-term solution. Users are advised to proceed with caution and stay informed about official updates from Google.

Broader Context and Future Outlook

This incident sheds light on the challenges of maintaining security in complex mobile operating systems and the potential gaps in vendor response mechanisms. As VPNs become increasingly vital for privacy and accessing geo-restricted content, vulnerabilities that bypass these tools are especially consequential. The security community will likely continue to pressure Google to reconsider its stance, particularly as alternative implementations like GrapheneOS prove that fixes are possible. Users should remain vigilant, keep their devices updated, and consider additional privacy measures until a permanent resolution is provided by the OS developer.