return to table of content

DNS traffic can leak outside the VPN tunnel on Android

ignoramous
42 replies
4h11m

rethinkdns dev here

these issues should be addressed in the OS in order to protect all Android users regardless of which apps they use.

Android's paranoid networking has always had an exception for System and OEM apps (which include Google apps). Most such bugs fixes are unlikely to fix that core assumption. Some code refs: https://github.com/celzero/rethink-app/issues/224

The leak during tunnel reconnects is harder for us to mitigate in our app. We are still looking for solutions.

Android supports seamless handover between two TUN devices (on reconfiguration). It is tricky to get it right, but implementable.

cma
41 replies
3h42m

They don't even allow disabling internet permissions on a flashlight app, the OS is run by an internet ad company so it makes sense.

fifteen1506
15 replies
3h25m

GrapheneOS does if you're willing to take the plunge.

metadat
14 replies
3h10m

Take the plunge to not do any banking on your phone.

It's an unfortunate limitation for a device I own to be handicapped this way.

segasaturn
5 replies
2h29m

Your bank doesn't have a mobile website?

djbusby
4 replies
2h23m

It does but have to use the app to deposit checks.

neilv
1 replies
1h43m

Go for a walk every day, and occasionally make your walk to an ATM?

You can also contact your bank and tell them that you want to be able to deposit checks via the Web site.

If enough people do this, and don't use the overly-proprietary app, the bank might listen.

lambdaxyzw
0 replies
38m

Go for a walk every day, and occasionally make your walk to an ATM?

There are workarounds, but it sounds annoying and a burden. What if the closest bank branch is an hour on foot away? Or the OP lives in a rural place and it's half an hour drive? I don't have this problem since my bank works with graphene, but I would reconsider using it if most applications I use refused to load.

NotPractical
1 replies
54m

Minor conveniences like this are not worth the complete erosion of privacy, in my opinion. Just go to the nearest ATM to deposit checks (who uses checks anymore, btw?) and use the site for everything else. Not everyone even has a smartphone, and out of those that do, many prefer banking on their laptop over their phone anyway, which incentivizes banks to create feature-rich websites. If the mobile site isn't any good, usually the "desktop site" isn't too difficult to navigate on mobile, if you need to.

nickburns
0 replies
38m

  who uses checks anymore, btw?
business organizations. the rest of your points are well said.

nickburns
2 replies
2h51m

there is (or at least can be) some risk tolerance within any so-called 'threat model.' but i absolutely take your point and agree with you.

nary the case but i suppose if i absolutely needed to access any finances from my mobile device, it certainly wouldn't be from one of said institution's own mobile apps, but via web browser.

GTP
1 replies
1h54m

i suppose if i absolutely needed to access any finances from my mobile device, it certainly wouldn't be from one of said institution's own mobile apps, but via web browser.

I used to do home banking from my bank's website. Recently, they created a digital-only branch for customers who mostly do home banking and only rarely need to go in person to the bank. They asked their customers if they wanted to switch and offered services at the same or lower cost than before. I made the switch, but found out that unfortunately the new website lacks some functionalities that are only available from the mobile app. I guess they are assuming that most people would just use their phone anyway and didn't bother to reach feature parity between the website and the app, preferring the app.

nickburns
0 replies
1h13m

crazy. it's remarkable to me that lawyers actually do explicitly, if not expressly, account for these kinds of technical decisions, ultimately made in surreptitious fashion by the business, when drafting usage terms. i.e., you would've (or, a lawyer determind, should've) been able to find notice of this change somewhere buried in the new service terms. i at least have faith in that much.

i hope you switched back, lol.

madmads
1 replies
2h59m

Not universally true, I use banking apps on my Pixel running the latest GrapheneOS. There is literally nothing I cannot do on my phone. I think it's possible that no US banks have apps that can be used as it seems a universal experience among Americans.

mkopec
0 replies
1h26m

Do Android Auto and VoLTE / VoWiFi work on Graphene these days? I also remember Google Maps and Uber being extremely problematic

codedokode
1 replies
1h2m

Using banking apps on a phone is dangerous because if your phone gets hacked (and Linux kernel has extremely large attack surface), the attacker gets access to both the app's session and SMS codes that are used to confirm operations. People who use banking apps must be crazy or don't care about their money.

aborsy
0 replies
50m

Excluding phones, Linux desktop, and Windows which doesn’t have a better record in vulnerabilities, leaves out essentially MacOS!

MrDrMcCoy
0 replies
2h7m

My banking apps worked for me on GrapheneOS once I installed Google Play services.

lambdaxyzw
8 replies
3h34m

Which flashlight app? As far as I know there is no official flashlight app (though recently there is a built in flashlight feature). How is Google responsible for a third party app that refuses to work without an internet access?

chimeracoder
4 replies
3h30m

Which flashlight app? As far as I know there is no official flashlight app (though recently there is a built in flashlight feature). How is Google responsible for a third party app that refuses to work without an internet access?

GP is saying that the Android permissions model requires giving Internet access to any app you install from the Play Store; there isn't a way for an app to request "zero permissions" (or rather, there is, but basic Internet access is a permission granted to all apps, even when zero additional entitlements are requested).

That said, this isn't unique to Android. At least as of a few years ago, iOS did more or less the same thing. (You can disable an app's access to the local network, but that's not the same thing as denying (or requiring an app to request) basic network connectivity).

toast0
1 replies
2h59m

Google doesn't let you deny permissions for most of them.

As I understand it, apps that use the internet still need an entitlement, it's just that the Google Play store no longer shows that one in the list.

chimeracoder
0 replies
2h56m

As I understand it, apps that use the internet still need an entitlement, it's just that the Google Play store no longer shows that one in the list.

That's what it is, I think. The Play Store doesn't show it in the list of permissions anymore.

nickburns
1 replies
3h21m

still the same. Alphabet nor Apple have any real incentive to change this (commercial incentivization to maintain it notwithstanding).

beeboobaa3
0 replies
3h7m

Thats exactly the point that is being made, yes.

beeboobaa3
1 replies
3h7m

The hypothetical flashlight app that was used as an example to demonstrate the problem of not being able to take away the permission to access the internet from an app.

lambdaxyzw
0 replies
1h28m

Thank you, I missed the point of GP clearly. I use GrapheneOS and forgot you can't deny network access to an application in a "regular" Android.

cma
0 replies
1h33m

It's just an example of an app that doesn't need internet access, yes flashlight is so useful it is built in to basically all phones now.

Larrikin
5 replies
3h36m

Can you link to the documentation explaining how developers disable Internet permissions on iOS.

paulddraper
2 replies
2h43m

Or any other operating system...

adamomada
0 replies
54m

Third party app firewalls exist for at least macOS and Linux distros. It’s likely built in to the system as well, but you’d have to wrangle the command to do it in the terminal.

Too
0 replies
11m

Depending on how blur you draw the line of os:

docker run --network none

loa_in_
0 replies
3h32m

Unfortunately a race to the bottom is a bad thing, not an excuse

chefandy
0 replies
2h17m

My network security requirements have nothing to do with iOS. Can't we just collectively drop OS tribalism?

lxgr
2 replies
2h25m

Is android.permission.INTERNET not a thing anymore? Unlike iOS, Android at least used to have this one.

I sometimes wish I could just configure that per-app as a user. Frustratingly, on iOS it's possible only for mobile data, but not for Wi-Fi – why!?

jimbobthrowawy
0 replies
55m

IIRC, there's separate permissions for web access and unrestricted internet access. The former is only apparent if you look for it on install, and isn't something you can disable on most ROMs.

adamomada
0 replies
57m

A possible answer is it’s not really a privacy setting but instead to save you from carrier data charges.

I agree that there should be an app firewall to the point I’m running an older phone w the checkm8 jailbreak to have a firewall.

switch007
1 replies
3h38m

FWIW GrapheneOS does (it asks you before installing any app)

codedokode
0 replies
1h9m

As I understand, it installs a pseudo-VPN and passes traffic through it. I remember using similar app (NoRoot Firewall), and it worked poorly and couldn't block everything I wanted.

carstenhag
0 replies
26m

This is about the continuous background location permission. In the past years they have cracked down on this, yes. But nothing forbids you from requesting the foreground approximate or fine location permissions.

So yes, this hypothetical flashlight app can request the permission. The user has to allow it in some way - approx or precise, one-time or always. But also nowadays the users sees when & what app is requesting these kind of permissions. It's a moot point.

(For background location there's an extensive form in the play store, you even have to send videos in many cases - for foreground, there's nothing)

talldayo
0 replies
3h27m

Netguard is an open-source program that helps fix this: https://netguard.me/

infthi
0 replies
12m

This depends on the firmware used. I am writing this comment from an Oneplus device which allows blocking internet access on a per-app basis - on a stock firmware.

codedokode
0 replies
1h11m

That's what you get when you trust your device to commercial companies.

nazgulsenpai
32 replies
4h25m

I don't use Mullvad, but I respect the shit out of them. This is a good, information dense explanation of the problem, their short term workaround and potential workarounds for others, as well as what will need to be fixed in Android. Good stuff.

pqdbr
29 replies
3h56m

Blog posts like this (instead of endless YouTube sponsorships like their competitors do) are what made me choose them as my VPN service.

bloopernova
19 replies
3h51m

I use and recommend Mullvad.

However I'm worried that their goodwill and values will become more valuable to some private equity corp that buys them to asset strip and squeeze their customers.

selectodude
8 replies
2h51m

There are billboards for Mullvad all over Chicago which kind of weird me out.

neuronexmachina
1 replies
52m

Oh wow, I wish more companies had pages like that summarizing what sort of marketing/advertising they do/don't use.

ziddoap
0 replies
47m

I’m fanboying at this point, but I honestly believe Mullvad should be the poster child for a lot of things other companies should be doing. Transparency, accountability, data minimization, thorough documentation, publicly available audits, etc.

kfreds
2 replies
1h6m

I'm sorry you feel that way, but I can relate. I initially had mixed feelings about it as well.

On the other hand the campaign we did in Stockholm last year worked out quite well. It managed to affect both domestic and EU legislative discussions at the time. Or at least our campaign contributed to moving the discussion in the right direction.

How much is that worth? I'm not sure, but the reason we started Mullvad in the first place was to conduct political action through entrepreneurship, specifically regarding mass surveillance and censorship.

If nothing else it seems to amuse a lot of people, including me and my colleagues. When I first heard of the idea of plastering privacy propaganda all over some major U.S. cities my initial reaction was more or less "lol, we can just do that?". As it turns out we can. :)

nickburns
0 replies
29m

thank you for offering up in this forum at least your own personal contributions to your organization's position on its advertising campaigns. not sure if any official statements on the matter have been made elsewhere, but you've assuaged at least my own slight concern about it with this one. truly. (and by 'truly' i mean i've been meaning to stuff some cash in an envelope addressed to you guys!)

transparency is absolutely a corporate virtue.

j0e1
0 replies
23m

Thank you for sharing that! I am definitely part of the HN group think that tends to be irked by mass marketing- mainly because of baggage from the past of false advertising. However, I do agree that getting the non-IT geek's attention is what would actually move the needle for political action. I was amused (mostly surprised) to see a billboard while driving down the 110 in LA. More importantly, it led to a cool discussion with my non-tech wife who now appreciates your guys' brand more. :)

starttoaster
1 replies
47m

What is it about a company spreading awareness about their product that weirds you out in particular, I'm curious? Billboard advertisements are an awareness type of advertisement. I'd be much more concerned to learn about paid endorsements, which they document on their website that they specifically do not do. Endorsements are a much more sensitive form of advertising, where once money trades hands for an endorsement, it stops being a useful third party assessment and starts being an advertisement disguised as a third party assessment. Awareness advertisements just make good business sense, so I'm genuinely curious why those would shy anybody away.

epcoa
0 replies
35m

I saw them on the side of a CTA bus for the first time the other day. I don’t think it is bad at all, but the initial reaction for me as an American used to typical bus advertising it was exactly as if seeing an ad for 4chan there. It just isn’t the expected modality for the product.

(Seeing the reply down thread from a Mullvad rep, this is not unexpected)

Groxx
5 replies
3h44m

Not everyone telegraphs if they're in it for the money.

In some lines of business, like (purely hypothetically) security, it might actually be a bad thing for your business if you do.

I also use mullvad because I don't really think this is the case, but bad actors are generally hard to conclusively identify by design. And VPNs are pretty far out in the "just trust me bro" realm of handing over all your browsing habits with no ability to check their real behavior.

yencabulator
1 replies
54m

Mullvad is trying pretty darn hard to be as far from "just trust me bro" as is feasible. If you do take their word for how they run their systems (/are working toward), their servers are diskless (what logs?), will only run software signed by their infrastructure team, and will remotely attest that their software has not been tampered with.

This is so very, very, far away from the typical VPN company that any such comparison sounds ridiculous to me.

Just the pretense of doing all this work costs so much that a greedy biz bro simply wouldn't.

https://github.com/mullvad/system-transparency

https://www.system-transparency.org

https://news.ycombinator.com/item?id=29903695

kfreds
0 replies
38m

Thank you for noticing! System Transparency is taking way longer to figure out, design and build than I expected. On the other hand the project is quite ambitious, and our work on ST has sprouted two additional OSS projects:

- https://www.sigsum.org (a transparency log with witness cosigning)

- https://tillitis.se (an open-source hardware FPGA-based security key with measured boot)

reaperman
1 replies
3h35m

I think legally they would have to change their ownership directive document in Switzerland to allow the board of directors to allow the two founders to sell more than 50% of their shares. So you might get a heads up!

blowfish721
0 replies
3h27m

They arent based in Switzerland but in Sweden.

kfreds
0 replies
43m

VPNs are pretty far out in the "just trust me bro" realm of handing over all your browsing habits with no ability to check their real behavior.

Yes. It is quite an interesting situation, really. It's also a fun challenge! To what extent can we prove that we are trustworthy, and using what tools? Do those tools exist or do we have to invent them?

radicality
2 replies
2h47m

I’ve been using and still using Mullvad but also getting worried. I live in nyc and in the last few months I’ve seen a _lot_ of ads from them. Huge billboards in high-traffic areas. Full-sized ads on a side of a bus. A whole subway car just with mullvad ads.

Some of the ads also felt deceptive making it seem like it will prevent all your online tracking, even though we know that’s not the case.

kfreds
0 replies
28m

Some of the ads also felt deceptive making it seem like it will prevent all your online tracking, even though we know that’s not the case.

I'm sorry to hear that. For what it's worth our marketing colleagues make a big effort to minimize the risk of such interpretations. Sometimes a really snappy string of words can be interpreted multiple ways. There's also only so many words we can put on an ad before it gets messy. We do try hard to make the nuances clear on our website, which ultimately is where any new users will have to go in order to buy the service.

2OEH8eoCRo0
5 replies
3h16m

I was an extremely happy user until they removed port-forwarding. That forced me to switch unfortunately :(

Gormo
2 replies
2h46m

How were you using port forwarding with an external VPN?

fullspectrumdev
0 replies
2h39m

A lot of VPN’s allow you to forward a port from local to “listening” on one of their servers, to make it easier to use P2P filesharing and such.

Mullvad and a few others have had to disable this feature because it turns out it’s super useful for hosting malware C&C servers, phishing pages, etc

epcoa
0 replies
28m

It’s typically for BitTorrent.

nicce
1 replies
2h51m

What was the reasoning for removal?

ziddoap
0 replies
2h40m

Unsurprisingly, they wrote a blog post about it.

"Unfortunately port forwarding also allows avenues for abuse, which in some cases can result in a far worse experience for the majority of our users. Regrettably individuals have frequently used this feature to host undesirable content and malicious services from ports that are forwarded from our VPN servers. This has led to law enforcement contacting us, our IPs getting blacklisted, and hosting providers cancelling us."

"The result is that it affects the majority of our users negatively, because they cannot use our service without having services being blocked."

https://mullvad.net/en/blog/removing-the-support-for-forward...

uneekname
2 replies
2h5m

I was a bit surprised to walk onto a DC Metro car last weekend to find the walls plastered with ads for Mullvad. Just wanted to note that Mullvad is spending money on traditional advertising, as well as blog posts like this.

bragr
0 replies
37m

I was surprised this week to see a big yellow Mullvad ad on LA Metro bus. They must be on an advertising push.

rmdes
0 replies
1m

Simply the best VPN around, in terms of values, mindset, loyalty to their core beliefs and the relentless proof to stick to their moto over the last decades.

dkga
0 replies
48m

Good points. By the way, how do they compare with the likes of ProtonVPN?

tiagod
12 replies
4h16m

I guess the safest setup is to have mobile data off on your phone and carry an OpenWRT hotspot to do the VPN bit upstream from the phone.

hackermatic
5 replies
2h10m

Edit: Other commenters report that Android will silently re-enable cell data under various conditions, so this isn't a surefire solution, either.

The Grugq created a tool for this a decade ago (sadly unmaintained): https://github.com/grugq/portal as part of a presentation about operational security for hackers. It's a great watch if you're interested in how various (in)famous hackers thought they were secure and got busted anyway. https://www.youtube.com/watch?v=9XaYdCdwiWU

mise_en_place
4 replies
2h0m

Other commenters report that Android will silently re-enable cell data under various conditions

This is terrifying.

autoexec
2 replies
55m

It's expected. The people who own the phones aren't in control of the OS and the wireless chipsets are closed/proprietary. Cellphones really shouldn't be trusted by anyone.

mise_en_place
1 replies
44m

Correct, the baseband usually has binary blobs. Although I am curious why Google/Apple decided not to make their own baseband, given their new silicon manufacturing expertise.

Too
0 replies
5m

Armchair speculation: Patents?

nickburns
0 replies
49m

i'm almost certain i've had it happen on iOS, too. only reason i can't definitively say—is because i can't rule myself out always having to manually toggle cell data on/off, both radio-level and per-app, when i'm coming/going from my own networks to my mobile VPN.

nickburns
4 replies
4h3m

it's true.

even bigger nightmare on iOS where 'always-on VPN' can only be configured on devices 'supervised' by an Apple-approved (documented application and telephone call with current employee required) organization's MDM solution—or you otherwise need a Mac to use the Apple Configurator app to even create a Configuration Profile containing the 'always-on VPN' key.

fullspectrumdev
3 replies
2h31m

Making a simple OSS tool to generate valid configuration profile files seems like a potentially useful way to spend a weekend sometime.

The format cannot be that complex, right?

yonatan8070
0 replies
50m

Until you get to the bit where I'm guessing you need Apples private keys to sign it or whatever

nickburns
0 replies
2h1m

lol, hit me up with your rate. my only term is that i get to be watching over your shoulder the whole time.

mise_en_place
0 replies
2h55m

Yeah it's the best solution if you use any public wifi or even mobile telephony. Somebody can just run their own base station and then your phone would connect to that. If it's not your network don't directly connect without a mobile router.

exabrial
11 replies
4h2m

Any system where you don't have root access in insecure by it's very definition. Android and ios are hilarious.

nickburns
2 replies
3h58m

a point as salient as it is germane. this is exactly why open-source software and hardware mobile device projects[0] will only continue to proliferate.

[0] https://en.wikipedia.org/wiki/PinePhone_Pro

autoexec
1 replies
1h3m

As much as I want to support those kinds of devices they're all insanely priced and have earned a reputation for failing at the most basic tasks. Maybe after it's been more than 3-5 years since the last forum post titled "can make/receive calls" I'll give pine phones another look.

nickburns
0 replies
46m

i agree the whole concept is not too far past proof at present.

chuckadams
2 replies
2h30m

Any system that has a concept of root access is insecure by definition. See, I can do silly categorical statements too.

nickburns
0 replies
44m

categorical ≠ silly

...unless you care to elaborate on why you disagree with this statement in substance and/or on point?

marcosdumay
0 replies
54m

Now you can try making true ones.

fifteen1506
1 replies
3h17m

Most are happy to outsource root to the OS manufacturer. And while I demand having root on Desktop, I don't see it happening on mobile for the majority.

autoexec
0 replies
1h0m

Most phone users are oblivious to what root even is and yet still hate it when changes are pushed to their devices without notice, with no ability to revert to how things were or prevent unwanted changes in the future. This isn't acceptance but rather learned helplessness.

switch007
0 replies
53m

The grapheneos devs are really, really against root. What are your thoughts on that?

ragnese
0 replies
2h11m

I remember being chastised in some Android subreddits years ago for going against the (probably astroturf) opinion that having root access was "insecure". Sigh...

autoexec
0 replies
1h5m

It'd be hilarious if phones hadn't largely replaced desktops/laptops for most people. I feel bad for all the kids who grew up/will grow up with nothing but a device primarily designed for media consumption and the collection of their private data for a computer.

moose44
4 replies
3h36m

Apologies if this is a dumb question—could a service like NextDNS help prevent this?

nickburns
3 replies
3h30m

nope. no DNS service, not even a self-hosted one, can mitigate what's happening here.

the matter at-hand considers Android (and iOS both) operating system- and kernel-level insecurities by-design. the operating system (together with all root-level or otherwise authorized system activity), under certain conditions—e.g. connectivity change, hard-coded system function, apps with permission to hardcode their own network functions, etc.—will refuse to use any NIC, whether physical or virtualized, except the one containing the cellular carrier's connection/routes. that traffic might then necessarily include DNS queries and any/all other private but now-leaked data.

raggi
1 replies
2h49m

NextDNS _does help_ though by way of being DoH, so while your packets might be traversing a less desirable path they’re not readable.

nickburns
0 replies
2h44m

fair point. but that assumes:

1.) the system strictly respects user-configured DNS; and

2.) that the leak of some private data is acceptable. leaked traffic is still leaked even if otherwise encapsulated by some other encryption mechanism outside of an otherwise properly-configured VPN tunnel.

#1 is of course a much larger risk assumption to swallow.

moose44
0 replies
3h16m

Interesting. Thank you for this.

bastard_op
4 replies
3h53m

This has been a long-standing issue with android, that no matter how much you want it to use internal dns servers only, it'll decide to flip to cell and use those as it needs/wants. I've observed adb debugs for times recently to see why/when wireless was disconnecting, and it comes down to liveliness checks that if it can't see or resolve something, it'll simply bring up and try the cell data to do so.

It's especially frustrating when using internal dns records that only live internal will randomly not work on a phone. I can see that the device is on wifi that is feeding internal dns servers with the records, but it's resolving externally still for some android reason. This happens on my SO's phone when using things all the time, but I really don't use my phone in the house except to read books and rarely notice.

No idea how apple is about this, but the fact they try to proxy everything you do via their "privacy" vpn by default including dns as DOH, I can't imagine it is any better trying to use what they'd see as a competing product, and we know how apple feels about those.

gruez
0 replies
1h55m

it'll decide to flip to cell and use those as it needs/wants

Are you sure you don't have wifi assist enabled? That's explicitly designed to switch to cellular when wifi signal is poor.

edward28
0 replies
3h50m

Have you tried disabling "mobile data always active" in developer options?

callalex
0 replies
1h4m

iOS absolutely does not use Private Relay (iCloud branded VPN) by default. Even when it is included in a subscription, you must explicitly opt in.

adamomada
0 replies
44m

Apple (or iOS) actually has a robust built-in way to filter and block traffic using configuration profiles. I’m uncertain if you can configure it per-app, but you can definitely whitelist/blacklist hostnames. For an example of this in action, check out this system-wide ad blocker https://myxxdev.github.io/depictions/MYbloXXforiOS/MYbloXXfo...

Asmod4n
3 replies
2h7m

The Problem with Android in regards to DNS: you just can't set your own IPv6 DNS Server on that platform, it gets changed anytime anything happens to your wifi. There is no app, even for rooted android, which can disable the operating system from changing it.

When you are stuck with a router that always hands out IPv6 Adresses and doesn't let you turn that off you are just screwed.

I don't even know if you could install a firewall appliance behind that router and strip out the IPv6 DNS Servers it advertises.

jsheard
1 replies
1h11m

What if you use the system-level support for DNS-over-TLS instead of setting the DNS server IP addresses? That's a global setting so it should apply regardless of which network you're on, or what happens on it. If you care about DNS requests leaking you should be using DoT or DoH anyway.

nickburns
0 replies
42m

doesn't matter. plenty of elaboration elsewhere in the discussion.

stainablesteel
0 replies
1h56m

so that's what happens on when the phone is the main interface

does this happen with wifi tethering too? if i have a vpn set up on a laptop that i connect through the phone's wifi will that leak in the same way?

rkagerer
2 replies
2h52m

We have reported the issues and suggested improvements to Google

Isn't Android open source? Can they not fix it for them and submit a PR?

nickburns
0 replies
2h40m

Mullvad's not really in the business of developing for Alphabet. but any of us could though, sure.

GrantMoyer
0 replies
29m

Android is open source, but the codebase is massive and unapproachable. I managed to make some tweaks to Android, and compiled my own custom version (for one, I removed the stupid blur from lock screen album art), but I'm fairly confident I wouldn't be able to even find all the relevant code for DNS and VPN interactions in any reasonable amount of time.

mise_en_place
2 replies
3h0m

Luckily WireGuard doesn't have this issue on desktop peers. Although I did run into DNS leaking due to my peer config having an exception for my local network address range. The way I resolved that is to setup dnsmasq on the server and set that as my primary DNS.

I will say that I wish there was a DisallowedIPs directive. It's fun having to subtract a /24 from 0.0.0.0/0, although there are calculators you can use.

d-z-m
0 replies
2h7m

Luckily WireGuard doesn't have this issue on desktop peers

for windows split tunnels it still does, I believe.

chgs
0 replies
2h50m

Just have a black hole route for the subnets you don’t want to send to

kop316
2 replies
3h6m

I've sort of suspected this the case for a while. On VPN, MMS and Visual Voicemail still work on Android. Both of these require direct mobile access or they will get rejected (sometimes they are only on the mobile network, or else they requests get rejected if they don't come from within the mobile network). I suspect the same is true of VoLTE. If there is a VPN, that would mess things up.

I found this out since on Mobile Linux, if you enable VPN, the VPN breaks all of those.

I don't think there is a clear way to fix this on Android without breaking a lot of expected functionalty.

nickburns
0 replies
2h55m

ironically SMS/MMS and VVS are two of maybe a few other operations/functions (system updates maybe? maybe?) that are justifiably 'hard-coded' to the carrier connection.

i've done the dance re: VVS with advanced AT&T support on VPN'ed iOS—so can confirm your point is not limited to Android.

bestham
0 replies
34m

No VoLTE uses a dedicated bearer (network interface) in the LTE stack. Not the one used for data. Different bearers can have different priorities/QCI (like QoS). In a congested LTE network VoLTE should provide a better experience than VOIP on a lower priority bearer.

bobbob1921
2 replies
2h2m

A few years ago, when I was testing various VPN set ups for a project, one thing I would do is have a MikroTik firewall device (hardware) sit between my computer and my main router, it’s only purpose would be to block any traffic, not dst for the IP address of the VPN server that the pc was connecting to.

This worked great to ensure that no traffic was leaked from pc to vpn server. The IP address of the VPN server you’re making use of rarely changes or if it does it’s easy enough to change on the MikroTik firewall.

Another method is to block all traffic not to the port/protocol pair being used by the VPN server if you don’t know the servers IP address (or if it changes). As an example drop any traffic not dst UDP 1194 (based on the type of VPN, of course). MikroTik routers also have a great little tool called torch that allows you to quickly and easily watch traffic (in addition to of course, supporting packet captures. Mikrotik routers are very reasonably priced and range from as low as $30 up to $3000 - all with no software licenses, and they are very powerful and capable if you know what you’re doing.

nickburns
0 replies
1h26m

  This worked great to ensure that no traffic was leaked from pc to vpn server. The IP address of the VPN server you’re making use of rarely changes or if it does it’s easy enough to change on the MikroTik firewall.  

  Another method is to block all traffic not to the port/protocol pair being used by the VPN server if you don’t know the servers IP address (or if it changes). As an example drop any traffic not dst UDP 1194 (based on the type of VPN, of course).
outbound filtering by source and/or destination address and/or port is both a fundamental firewalling concept and standard configuration on all firewall-routing platforms. (policy-based routing[0], i.e. filtering by gateway, is the same.) generally speaking, only the con/prosumer products allow everything out by default.

just curious, what was your "main router" in this setup? ISP-supplied?

[0] https://en.wikipedia.org/wiki/Policy-based_routing

autoexec
0 replies
1h14m

As long as you're promoting them, have they got a good/cheap router with a layer 7 firewall?

If only we could insert a firewall between our apps and the modems in our phones.

the8472
1 replies
3h52m

Linux has network namespaces, which can be used to isolate programs so they don't see any external networking when no VPN is available. Does android not use this for its VPN feature?

dyingkneepad
0 replies
3h15m

Lol. On the other hand, I use Linux network namespaces to make programs run outside the VPN on a specific machine that has the whole system configured to go through the VPN. So yeah if you get namespaces you can use them to both isolate programs and also bypass the VPN.

robertritz
1 replies
2h49m

I noticed this with my Android TV. Sometimes my location would leak and certain streaming sites stopped working (I'm outside the US).

Got an AppleTV and this issue stopped.

resource_waste
0 replies
50m

No one is going to say Apple has acceptable levels of Security.

I am a bit shocked when I see politicians with iPhones, most are unaware that Pegasus can take over at any point.

ranger_danger
1 replies
3h52m

I have also noticed that when using the FoxyProxy addon under Firefox, even with a SOCKS5 proxy in use, it will leak DNS requests through the direct connection unless you also set a manual proxy in the regular Firefox settings as well.

yjftsjthsd-h
0 replies
49m

I don't suppose you can set a nonexistent manual proxy and then use the addon for everything?

lloydatkinson
1 replies
4h1m

Depending on your threat model this might mean that you should avoid using Android altogether for anything sensitive

I once worked with someone who worked with someone that had previously been a major Android fanboy, but after doing some work that required a security clearance, they became an iPhone user and insisted their family get iPhones too.

nickburns
0 replies
2h4m

Apple is no less culpable of the same, they just put it behind the garden walls (which, in fairness, would appear to be just barely more trustworthy than Alphabet).

badrabbit
1 replies
2h45m

I gave on trusting phones to secure data a long time ago. But my approach is, at least when on wifi, to allow access to the internet only if the device connects to a local vpn gateway. 100% leak proof and prevents almost all wifi/lan/mitm attacks.

nickburns
0 replies
2h5m

what if a system-level (read: root) process doesn't respect your user-configured routing table? that's the real issue here. only mitigation would be to physically remove the undesirable NIC/s from the system, which is obviously impossible on SoC hardware.

aftbit
1 replies
1h20m

Also apparently tethering traffic doesn't go via the VPN? That's a silly choice too.

nickburns
0 replies
1h2m

that's a *deliberate choice.

wolverine876
0 replies
28m

Mullvad's security team should have found this problem on their own, and as soon as it appeared:

Inspect security empirically - you might think that your security must work, but that means nothing; you must investigate empirically: All data going to the Internet must pass through the gateway. Collect the packets on the gateway, not on the device, and inspect them for leaks. Finding leaks should be trivial at that point.

The only trick might be cellular connections: We don't know that leaks aren't unique to cellular connections. I know cellular gateways can be setup, but are the packets inspectable at a level that will reveal leaks?

throwaway2037
0 replies
3h6m

I don't VPNs, nor Mullvad, but I do appreciate the transparency here. We need to support more companies like this.

marc_ranieri
0 replies
1h2m

Block connections without VPN is turning out to be as reliable as my self-control at an all-you-can-eat buffet…if I'm not mistaken, these DNS leaks can very much expose where you browse and even your location, which kinda defeats the whole purpose of a VPN (and yes, even with VPNs, Android might still leak your DNS info. If you're really privacy-conscious, you might need to look beyond just using Android or keep your sensitive stuff off your phone)

kerhackernews
0 replies
20m

Can't you just use a DNS provider that encrypts the traffic?

jerry1979
0 replies
4h0m

This can also be detected by using the NetGuard firewall which acts as a vpn. Even in full lockdown mode, some kinds of newwork traffic gets through.

gregoryl
0 replies
4h23m

That's unfortunate, they only recently rolled out prompts to push Android users away from their in-app always-on functionality to the built in version.