VPN provider Mullvad found that the Android operating system leaks some of the user’s traffic every time the device connects to a WiFi network.
While conducting an audit of its app, the company discovered that Android leaks connectivity checks outside VPN tunnel in a way that VPN services can't block or prevent. The traffic is leaked even when the “Block connections without VPN” setting is enabled on the device.
“We understand why the Android system wants to send this traffic by default. If for instance there is a captive portal on the network, the connection will be unusable until the user has logged in to it. So most users will want the captive portal check to happen and allow them to display and use the portal. However, this can be a privacy concern for some users with certain threat models. As there seems to be no way to stop Android from leaking this traffic,” the company noted.
Mullvad said it reported the issue to Google, but the tech giant said that it is intended behavior and it doesn’t plan to fix it.