Android 16 VPN Vulnerability Allows Apps to Bypass Always-On VPN Protection
Key Takeaways
- ▸Android 16 contains a VPN bypass vulnerability allowing any app to leak network traffic outside the VPN tunnel, even with Always-On VPN protection enabled
- ▸The vulnerability exploits the registerQuicConnectionClosePayload method, which fails to verify that QUIC close payloads are properly routed through the VPN interface
- ▸Google closed the Android Security issue as 'Won't Fix (Infeasible),' but GrapheneOS patched it quickly, proving the vulnerability is technically solvable
Summary
A critical vulnerability has been discovered in Android 16 that allows malicious apps to leak network traffic outside VPN tunnels, even when Always-On VPN and Block Connections Without VPN are enabled. The bug involves the registerQuicConnectionClosePayload method on the ConnectivityManager system service, which fails to properly verify that QUIC connection close payloads are sent through the VPN tunnel, enabling attackers to craft payloads that bypass the VPN entirely and expose the device's real IP address.
This vulnerability affects all VPN applications on Android 16 and poses significant privacy and security risks, as leaked IP addresses can be used for tracking and surveillance purposes. When reported to Google's Android Security Team, the issue was closed as "Won't Fix (Infeasible)," citing technical constraints as the reason for declining to patch. In contrast, GrapheneOS, a security-focused Android fork, quickly patched the vulnerability in its codebase, demonstrating that the issue is technically solvable with proper implementation.
Users can apply a technical mitigation by enabling USB debugging and running ADB commands to disable the QUIC graceful shutdown feature (adb shell device_config put tethering close_quic_connection -1), though this is a temporary workaround that may be reverted by future system updates. Alternatively, users can switch to GrapheneOS or avoid installing untrusted applications. The vulnerability highlights ongoing security challenges in Android's core system services.
- Users can mitigate the risk through ADB commands to disable QUIC graceful shutdown or by switching to GrapheneOS
Editorial Opinion
This vulnerability underscores a troubling pattern where critical security issues in Android's core systems can languish unfixed by Google while security-focused alternatives respond swiftly. The fact that Google considers a VPN bypass affecting billions of Android users to be 'infeasible' to fix raises questions about resource allocation and security priorities. GrapheneOS's rapid patch demonstrates the issue is solvable, widening the trust gap between Google's response and independent security teams.
