pia-foss / mobile-android

Private Internet Access - Android VPN Client
14 stars 0 forks source link

<Extremely high priority> Known Androis Unaddressed VPN leaking #58

Open Nemes15 opened 5 months ago

Nemes15 commented 5 months ago

PIA and none of KAPE VPN services are talking about this, or, are looking for a solution. Maybe it is unknown (I doubt it but I will give the benefit of the doubt) but the internal PIA killswitch was dropped a long time ago for the more secure "Android built in Killswitch", however, this Android kill switch is NOT as secure as the app makes it out to be.

There are many reports about this multicast problem and developers are working hard to find a working solution. PIA devs aren't working on this at all. While it is not labeled as such, I would label it as a CVE because it has an impact on all VPN users and has been an issue for years. Of course you can wait for upstream android dev to resolve it but that is a long term solution. We also need a short term solution (either add firewall rules again, force the service to run at start-up, block anything but the default 202 requests from limited sources, DO SOMETHING and acknowledge the issue in the blog).

I will add various sources (mostly OTHER VPN providers like mullvad that are on top of this issue and selective OS releases), including upstream, that dictate this issue

Links:

https://issuetracker.google.com/issues/337961996

https://github.com/GrapheneOS/os-issue-tracker/issues/3443

Old public reports by news outlets:

https://www.makeuseof.com/android-leaking-data-with-vpn-on/

https://www.bleepingcomputer.com/news/google/android-leaks-some-traffic-even-when-always-on-vpn-is-enabled/

thestinger commented 3 months ago

There were 2 different kinds of leaks and you're mixing those up.

The issue which became widely known after being reported to us is the DNS leak problem filed at https://github.com/GrapheneOS/os-issue-tracker/issues/3442 which has been resolved. There's a remaining DNS leak issue where VPN DNS is accessed outside the tunnel, but GrapheneOS has prevented the DNS resolver from accessing non-VPN DNS when lockdown is enabled already.

The multicast leak you've linked on our tracker is an entirely separate thing from the DNS leak issue you've linked on the Android issue tracker.

Both news articles you've linked are highly inaccurate and don't cover any leaks. Mullvad posted inaccurate and misleading information which was made even more inaccurate by journalists trying to paraphrase it. That has nothing to do with either form of DNS leak or the multicast leak which were not publicly known until they were filed on the GrapheneOS issue tracker. Articles from 2022 have nothing to do with it and those articles are not about anything that's actually a leak but rather traffic such as connectivity checks intentionally excluded from the VPN since it wouldn't work otherwise. That's well documented by GrapheneOS and there are settings to control connectivity checks. Android also chooses to do that for NTP while we have our secure HTTPS-based network time go through the VPN instead with the downside of inaccurate time being able to break the VPN connection until users fix it after figuring out the issue.