GoKawiilCalvin Wankhede / Android Authority
TL;DR GrapheneOS has patched an Android 16 VPN flaw that Google reportedly decided not to fix.
The bug could let a malicious app leak small amounts of data outside an active VPN tunnel.
In extreme cases, that means it’s possible stock Android users could have their IP address leaked, even with strict lockdown controls enabled.
A VPN that can leak your location is a pretty big failure of the tech at the best of times, but it’s especially concerning when Android’s lockdown controls exist to reassure you that it won’t happen. That’s the problem GrapheneOS has now addressed in Android 16, with a fix for a VPN flaw Google has reportedly decided to leave alone.
As reported by TechRadar, a security researcher going by lowlevel/Yusuf recently disclosed a bug nicknamed Tiny UDP Cannon. The issue affects Android 16 and can allow a regular app to leak a small amount of data outside an active VPN tunnel, potentially exposing your real IP address.
X/@cybaqkebm
While not a widespread risk, the biggest red flag with the bug is that this can apparently happen even when Android’s strictest VPN settings are enabled. Always-On VPN and Block connections without VPN are supposed to prevent traffic from leaving your phone unless it goes through the VPN. They’re intended to give you extra peace of mind, but this bug creates a narrow way around that protection.
Before you panic, it’s worth noting that an attacker would need to get a malicious app onto your phone first to exploit this bug. That makes the day-to-day risk modest for most Android users, but it’s still not ideal if you rely on Android’s VPN lockdown mode as a serious privacy guarantee.
Don’t want to miss the best from Android Authority? Set us as a favorite source in Google Discover to never miss our latest exclusive reports, expert analysis, and much more.
... continue reading