GrapheneOS closes an Android VPN loophole earlier than Google does

A VPN that may leak your location is a reasonably large failure of the tech at the most effective of instances, however it’s particularly regarding when Android’s lockdown controls exist to reassure you that it received’t occur. That’s the issue GrapheneOS has now addressed in Android 16, with a repair for a VPN flaw Google has reportedly determined to depart alone.

As reported by TechRadar, a safety researcher going by lowlevel/Yusuf lately disclosed a bug nicknamed Tiny UDP Cannon. The difficulty impacts Android 16 and may enable a daily app to leak a small quantity of information outdoors an energetic VPN tunnel, probably exposing your actual IP tackle.

Whereas not a widespread danger, the largest purple flag with the bug is that this may apparently occur even when Android’s strictest VPN settings are enabled. At all times-On VPN and Block connections with out VPN are supposed to forestall site visitors from leaving your cellphone until it goes via the VPN. They’re meant to offer you additional peace of thoughts, however this bug creates a slender approach round that safety.

Earlier than you panic, it’s value noting that an attacker would wish to get a malicious app onto your cellphone first to take advantage of this bug. That makes the day-to-day danger modest for many Android customers, however it’s nonetheless not ultimate in case you depend on Android’s VPN lockdown mode as a severe privateness assure.

The flaw seems to stem from a networking optimization in Android 16. In keeping with the researcher, Android doesn’t correctly verify whether or not a tiny packet of information despatched whereas closing sure connections must be restricted by the VPN, so it could actually exit over the common connection as an alternative. If the malicious app ensures that the packet incorporates your IP tackle, it undermines one of many greatest causes that folks use VPNs within the first place.

Google’s Android Safety Group reportedly categorized the problem as “Received’t Repair (Infeasible)” and determined it wouldn’t be included in a safety bulletin. GrapheneOS — the security-focused Android-based working system targeted on Pixels — took a special route, disabling the underlying function fully in launch 2026050400.

For GrapheneOS followers, it’s one other demonstration that the OS takes these privateness edge instances extra severely than its rivals. Inventory Android customers don’t have a neat official repair proper now, although the researcher notes the function will be turned off manually through an ADB command.