Android devices leak traffic every time the device connects to WiFi networks, even if “Block connections without VPN” or “Always VPN on” are enabled.
The BleepingComputer he says:
Data leaked out of VPN tunnels includes IP addresses, DNS lookups, HTTPS traffic, as well as NTP traffic. This behavior is built into the Android operating system and is a design choice. However, Android users probably didn't know about it until now due to the inaccurate description of VPN Lockdown features in the Android manual. The problem was discovered during a yet-to-be-published security audit.
Android offers a setting under “Network & Internet” to block network connections unless you are using a VPN. This feature is designed to prevent accidental leaks of the user's real IP address if the VPN connection is suddenly interrupted or dropped. Unfortunately, this capability is undermined by the need to accommodate special cases, such as identifying restricted gateways (such as a hotel's WiFi) that must be checked before the user can connect, or when using split-tunneling functions. That's why Android is configured to leak some data when connecting to a new WiFi network, regardless of whether you've turned on the “Block non-VPN connections” setting.
Google is aware (learned) of the problem, and should add an option to disable connectivity checks, as shown in a new feature request on Google's Issue Tracker.
A Google engineer of course Reported responding to the request that this is the intended functionality and will not be fixed for the following reasons:
- Many VPNs actually rely on the results of these connectivity checks to work,
- Audits are neither the only nor the most dangerous exceptions to VPN connections,
- The privacy impact is minimal, if not negligible, because the leaked information is already available over the L2 link.