mullvad / mullvadvpn-app

The Mullvad VPN client app for desktop and mobile
https://mullvad.net/
GNU General Public License v3.0
5.14k stars 345 forks source link

[Feature request] VPN permission in android app #3840

Open kalekad opened 2 years ago

kalekad commented 2 years ago

LineageOS 19.1 (Android 12) MullvadVPN-2022.2-beta1

When you open the app, it asks for an account number and to confirm it, the device must be connected to the network and only after this step, the app asks for VPN permission and once granted, you can set the Always-on VPN and Block connections without VPN in Android setting.

Please ask for VPN permission in the app before you need to be online so that you can set Always-on VPN and Block connections without VPN and avoid data leakage.

faern commented 2 years ago

Exactly when do you mean that you are leaking data?

We need to communicate with our API before we can establish any VPN tunnel. First of all, we check that the account number is valid, secondly we need to submit WireGuard keys and have the API return which in-tunnel IP addresses the app should use. Without this it would not be possible to establish a VPN tunnel.

Or do you mean we should set up a fake/not working tunnel first, so that all other apps are blocked from the internet, and then "leak" our own API connection. So at least other apps are not allowed to talk outside the tunnel.

Is this initial do-once login step that important to you? I'm not saying it is, I just want to understand the use case. Are you in airplane mode and you can't possibly leave it and have the phone talk outside the VPN under any circumstance?

kalekad commented 2 years ago

Exactly when do you mean that you are leaking data?

Between entering your account number and connecting to the VPN.

To clarify, the phone is disconnected from the network -Airplane mode. In this mode, it is not possible to configure the Mullvad app 2022.2beta1 so that it does not leak data from other apps when it first connects to the network.

Or do you mean we should set up a fake/not working tunnel first, so that all other apps are blocked from the internet, and then "leak" our own API connection. So at least other apps are not allowed to talk outside the tunnel.

Exactly as you described it would be great to have.

Is this initial do-once login step that important to you? I'm not saying it is, I just want to understand the use case. Are you in airplane mode and you can't possibly leave it and have the phone talk outside the VPN under any circumstance?

For me, it's important to be constantly shielded from my ISPs. I have Airplane mode on all the time unless I need to connect when I'm out and about to a mobile operator's network via a prepaid card paid for with cash and vouchers. I have a VPN or TOR on my router for when devices other than mine want to connect to the network.

e.g. InviZible Pro(Orbot alternative), Mullvad app before 2022.2beta1 can be set up offline.

Now I've tested the 2022.1 version for Android. Clean install of the app in offline mode. When I first started it, I entered my account number and confirmed, it showed logged in and showed a basic screen with a location selection and a Secure my connection button. I hit Secure my connection and a request for VPN permission pops up, I confirm. The blocked internet banner appears and below it says blocked connection. I go into Android settings to turn on Always-on VPN and Block all connections without VPN. I go back to the app and connect to the wifi. The app still says it blocks all connections (I try different apps and it does), I look in the app settings under the wireguard key tab, it is assigned. The app still shows that it blocks all connections, I put reconnect and I'm connected.

faern commented 2 years ago

Thanks for describing your use case. We'll discuss it and see if we can improve on this!