Calvin Wankhede / Android Authority
TL;DR
- GrapheneOS has patched an Android 16 VPN flaw that Google reportedly determined to not repair.
- The bug might let a malicious app leak small quantities of information exterior an lively VPN tunnel.
- In excessive circumstances, meaning it’s doable inventory Android customers might have their IP deal with leaked, even with strict lockdown controls enabled.
A VPN that may leak your location is a reasonably large failure of the tech at the most effective of instances, but it surely’s particularly regarding when Android’s lockdown controls exist to reassure you that it gained’t occur. That’s the issue GrapheneOS has now addressed in Android 16, with a repair for a VPN flaw Google has reportedly determined to depart alone.
As reported by TechRadar, a safety researcher going by lowlevel/Yusuf just lately disclosed a bug nicknamed Tiny UDP Cannon. The problem impacts Android 16 and may enable a daily app to leak a small quantity of information exterior an lively VPN tunnel, doubtlessly exposing your actual IP deal with.
Whereas not a widespread threat, the largest pink flag with the bug is that this could apparently occur even when Android’s strictest VPN settings are enabled. At all times-On VPN and Block connections with out VPN are supposed to forestall visitors from leaving your cellphone until it goes via the VPN. They’re supposed to present you additional peace of thoughts, however this bug creates a slender means round that safety.
Earlier than you panic, it’s value noting that an attacker would wish to get a malicious app onto your cellphone first to use this bug. That makes the day-to-day threat modest for many Android customers, but it surely’s nonetheless not splendid should you depend on Android’s VPN lockdown mode as a critical privateness assure.
Don’t need to miss the most effective from Android Authority?
The flaw seems to stem from a networking optimization in Android 16. Based on the researcher, Android doesn’t correctly examine whether or not a tiny packet of information despatched whereas closing sure connections ought to be restricted by the VPN, so it will possibly exit over the common connection as an alternative. If the malicious app ensures that the packet accommodates your IP deal with, it undermines one of many largest causes that individuals use VPNs within the first place.
Google’s Android Safety Group reportedly categorized the problem as “Received’t Repair (Infeasible)” and determined it wouldn’t be included in a safety bulletin. GrapheneOS — the security-focused Android-based working system targeted on Pixels — took a special route, disabling the underlying characteristic completely in launch 2026050400.
For GrapheneOS followers, it’s one other demonstration that the OS takes these privateness edge circumstances extra significantly than its rivals. Inventory Android customers don’t have a neat official repair proper now, although the researcher notes the characteristic may be turned off manually through an ADB command.
Thanks for being a part of our neighborhood. Learn our Remark Coverage earlier than posting.
