Home / Technology / Android 16 VPN Flaw Exposes User IP
Android 16 VPN Flaw Exposes User IP
16 May
Summary
- Android 16 bug bypasses VPNs, exposing user IP addresses.
- Google closed bug report, deeming it not a high priority.
- A workaround exists but requires USB debugging and may be temporary.
A significant security vulnerability has been identified in Android 16, potentially compromising user privacy by allowing certain apps to bypass VPN protections. The bug, reported by a security engineer, enables malicious applications to disregard VPN settings and transmit IP information directly. This bypass affects the ConnectivityManager system service, leaving traffic unencrypted and exposing sensitive data, including the device's actual IP address.
Despite the severity, Google reportedly classified the vulnerability as low priority and infeasible to fix, closing the bug report. This decision is concerning as the flaw persists even with 'Always-on VPN' or 'Block connections without VPN' features enabled, potentially creating a false sense of security for users. However, the Android-based GrapheneOS has already implemented a patch, demonstrating that a fix is possible.
While Google Play Protect offers protection against known threats, newly emerging malicious apps may not be immediately detected. Users worried about this vulnerability can consider switching to GrapheneOS. Alternatively, a temporary workaround involving a debug command is available for Android devices with USB debugging enabled, though subsequent updates may negate this fix.
