Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Android VPN IP Leak Even If Always-On VPN Enabled(lowlevel.fun)
22 points by birdculture 19 hours ago | 10 comments
ptrl600 14 hours ago | parent | next [-]

"PERMISSION_SYSTEM" meaning you can bypass the VPN, with no option to override from the user, looks broken by design to me.

18 hours ago | parent | prev | next [-]
[deleted]
MrFinch 15 hours ago | parent | prev | next [-]

Honestly not sure if Proton or anyone else can fix this client-side on Android. Stuff like this is why people end up moving the VPN to the router.

1vuio0pswjnm7 18 hours ago | parent | prev | next [-]

"I reported this through the Android VRP. Apparently, it is not in their threat model."

According to Netguard logs UID 1000 "Dynamic System" appears to try to use the tunnel in an earlier Android version

Blocking UID 1000 connections, and blocking QUIC, has not caused any problems for me

Yet another example of the relative lack of user control, privacy, etc. in corporate mobile OS

Not to mention undesired "side effects" of default use of QUIC

1vuio0pswjnm7 16 hours ago | parent | next [-]

Neither Netguard nor PCAPDroid requires a "rooted device"

Personally I do not rely solely on apps to block connections/protocols. While they may work to some extent for such purposes, they can also be useful for port forwarding, logging and packet captures with trailers/extensions

To block connections and protocols I set the device gateway to a computer running a non-corporate OS compiled by the user where the user can operate firewalls, DNS, etc. No "rooted device" needed

However... If VPN settings in corporate mobile OS such as Android can be undermined via Android "updates", as shown by this example, then it stands to reason that Network settings for a network interface such as gateway, DNS, etc. could also be undermined by "updates"

With respect to user control, privacy, etc., corporate mobile OS all suck. IMHO they will continue to suck even more as the years go by, as history has shown so far. The vendors' and users' interests on these issues are not aligned, they are in conflict with each other

1vuio0pswjnm7 14 hours ago | parent | prev | next [-]

re: "mitigation"

"device_config values persist across reboots, but a Factory Reset clears them, and a future Mainline update from Google could remove the chicken-out flag entirely. Treat this as a current-release mitigation, not a permanent one."

Life has three certainties: death, taxes and "updates" from so-called "tech" companies

pogue 17 hours ago | parent | prev [-]

Do you need a rooted device to block those connections/protocols?

n0thing3 15 hours ago | parent [-]

Nope, mitigation below just requires adb connection

pogue 14 hours ago | parent [-]

Would that be an appropriate mitigation for this issue though, preventing IP leaks?

I use Windscribe vpn and it has an option for a split tunneling of apps, so I have a bunch of apps I just let through. But, when I use the 'block connections without VPN' in always on VPN, it blocks those tunneled apps.

17 hours ago | parent | prev [-]
[deleted]