VPN service provider company Mullvad reported a vulnerability within smartphones when linked to VPN services. The vulnerability occurs even when the device’s security function blocks the connection with the VPN being turned on. The company claims that the vulnerability is unavoidable, and the connectivity checks are initiated outside the VPN tunnel.
According to the VPN service provider, the data connection outside the VPN ecosystems is made on purpose, even if the users think their internet connection is secure against leaks. Before leaving the typical VPN network, the connection period causes the vulnerability to trigger.
VPNs may not be safe
The disclosure of the information about the vulnerability poses privacy issues for netizens as 71.62% of world citizens use Android devices, while the remaining 27.73% use iOS-based devices, as per the Mobile Operating System Market Share Worldwide report by StatCounter.
VPN users might think that their connection is secure and that no data is being leaked outside the VPN tunnel. However, the vulnerability allows the data to be accessed by the entity in charge of the connectivity services as well as another entity that keeps an eye on possible information that could be harvested. The originating IP address is included and visible in the metadata while using the VPN network, which Mullvad claims can be used to “derive further information.”
Moreover, due to the vulnerability, the user cannot block the traffic outside the VPN tunnel, giving malicious threats to spoof the information accessed by the user. However, to disable the connectivity tests on Android, the open-source commercial VPN service provider, Mullvad, has issued a guide on its website. The manual calls for technical knowledge and especially the use of development tools to mitigate the VPN issue on smartphones.
Google responds to the claims, saying “won’t fix”
Google was immediately notified about the vulnerability by the VPN company, and in response, the global conglomerate replied with a “won’t fix” status, claiming that it was planned behavior. To further break down their “Won’t Fix” reply, Google stated that it looked into the smartphone VPN issue submitted by Mullvad and claimed that it is functioning as intended.
Google further explained the alleged vulnerability and stated that most users wouldn’t be able to make such choices when it comes to VPN, explaining that the feature is complicated for users to decide by themselves.
The company concluded by stating that it does not believe there is a justification required for proving the feature and changing it upon request by Mullvad VPN.
However, Mullvad retorted, saying that some users care when their data is leaked and should have the option to stop any leaky conversations if they so want. As a last resort, Android device owners can modify their devices following Mullvad’s guidelines to prevent these connections from happening.