Proton VPN homepage

Android 16 can expose your IP address

Reading
3 mins
Category
Apps

A critical vulnerability has been identified(new window) on Android 16 that allows any installed app to bypass the device’s VPN tunnel, including those configured with Android’s built-in kill switch settings. This means apps may leak your real IP address to their developers.

This is not a Proton VPN issue. It affects all VPN apps.

Because the bug is in the base Android operating system, only Google can fix it. Google is aware of the issue, but they unfortunately don’t see it as critical enough for an Android Security Bulletin(new window) (fix). As of now, they have closed the issue (Won’t fix/Infeasible status), but we hope their position on this will change.

Interestingly, GrapheneOS(new window), the hardened and de-Googled version of Android that can be installed on Pixel and future Motorola devices, has already fixed the QUIC issue(new window). This shows that the issue can in fact be resolved, and that Google’s response is truly inadequate.

What’s the issue?

When you use a VPN, all your internet traffic should go through an encrypted tunnel. Android even has a built-in “kill switch” setting that’s supposed to ensure nothing can bypass this tunnel.

The bug is a result of the way Android handles a specific type of internet connection called QUIC(new window), which is used by a growing number of apps and websites. When an app closes a QUIC connection, it’s supposed to send a sign-off message to the server.

But instead of sending this message through the VPN tunnel, Android sends it directly over your regular internet connection (i.e., outside the VPN tunnel), exposing your real IP address to whoever is on the receiving end. Any app that uses QUIC connections can trigger this, including well-known and entirely legitimate apps.

The practical risk to your privacy is that app developers can see your real IP address instead of the VPN server’s IP address.

What can you do about it?

Google’s decision to not fix this problem has drawn widespread criticism(new window). For now, the issue can be mitigated in the following ways:

1. Use ADB

You can fix the problem using the Android Debug Bridge(new window) (ADB) utility. This fix will persist across reboots, but it may be undone by system updates. If this happens you’ll need to repeat the steps.

A bigger issue for most, however, is that it’s a non-trivial task suited only to those with a strong technical background.

Once ADB is set up and configured, run:

adb shell device_config put tethering close_quic_connection -1
adb reboot

2. Be selective about your installed apps

Thanks to this critical vulnerability, any app can leak your real IP address to its developers. You should therefore try to limit the apps installed on your device to ones where you trust developers not to abuse this information.

We’re monitoring the situation

Google is aware of the problem and will hopefully respond to pressure to fix it. We’ll update this article when a solution is available.

Didn’t find what you were looking for?

Get help
General contactcontact@proton.me
Media contactmedia@proton.me
Legal contactlegal@proton.me
Partnerships contactpartners@proton.me