VPN “Kill Switch” Broken on Android
Android users have encountered DNS leak issues when switching VPN servers, despite having “Always On VPN” and “Block Connections Without VPN” features enabled. This problem, identified in the latest version of Android 14, was discovered by Mullvad, developers of the eponymous VPN service.
The “Always On VPN” feature is designed to keep the VPN running continuously from the moment the device boots up. The “Block Connections Without VPN” feature, also known as the “Kill Switch,” is intended to ensure that all network traffic passes through the secure VPN tunnel, preventing the monitoring of users’ web activity.
However, it has been revealed that the use of certain applications, which invoke the getaddrinfo function to convert a hostname into an IP address, can result in DNS data leaks. This issue occurs when the VPN is active without a configured DNS server, as well as during the reconfiguration of the VPN tunnel, its failures, or forced stops.
The problem also affects apps such as the Chrome browser, which can directly use getaddrinfo. Interestingly, activating the aforementioned VPN settings does not stop the leak, marking an unexpected behavior in the operating system that requires rectification.
Mullvad suggests possible ways to mitigate the risk of leakage: setting an invalid DNS server while the VPN application is active. However, an effective solution for leaks during VPN reconnection has not yet been found.
The company emphasizes the necessity of addressing this issue at the operating system level to protect the privacy of all Android users.
Given the seriousness of the issue discovered, Android users are advised to cautiously use VPN services for sensitive activities or implement additional security measures until Google resolves the flaw.
Google has swiftly responded to Mullvad’s investigations, stating that the security and privacy of Android are a priority for the company. They added that their development team is aware of the issue and is actively engaged in addressing it.
It is noteworthy that in October 2022, the Mullvad team also identified DNS data leaks when connecting devices to WiFi, which posed a threat to user privacy, including their approximate location and the online platforms they visited.