Any app on recent Android versions can leak certain traffic

Submitted ⁨⁨16⁩ ⁨hours⁩ ago⁩ by ⁨Lemmynated@lemmy.zip⁩ to ⁨technology@lemmy.zip⁩

https://mullvad.net/en/blog/2026/5/12/any-app-on-recent-android-versions-can-leak-certain-traffic

A recently discovered bug in Android 16 allows any app to leak traffic outside the VPN tunnel.

The bug was reported to the Android Security Team, but was closed as Won’t Fix (Infeasible) […] In contrast, GrapheneOS, a security-focused Android-based OS, quickly patched the issue in its codebase.

A mitigation is possible, but is quite technical in that it requires USB debugging to be enabled on the device in order to run the following Android Debug Bridge (adb) commands:

adb shell device_config put tethering close_quic_connection -1

adb reboot

source

Comments

Sort:hotnew top

massive_bereavement@fedia.io ⁨13⁩ ⁨hours⁩ ago
Yeah, haha sure, a bug... 🙄

source
- WhatAmLemmy@lemmy.world ⁨11⁩ ⁨hours⁩ ago
  “We’re sorry” ((rubs nips))
  
  source
- tgxn@lemmy.tgxn.net ⁨6⁩ ⁨hours⁩ ago
  ahh and it always seems somehow related back to QUIC!
  
  source
acido@feddit.it ⁨14⁩ ⁨hours⁩ ago
nice, gonna use the fix as soon as I get home.

source
- MagicDonkey@lemmy.dbzer0.com ⁨6⁩ ⁨hours⁩ ago
  My guess is if the server side connection stays half open it would mean the server is still sending data to your device after its closed the connection causing that data to essentially get sinkhole’d.
  
  Maybe in some extreme examples if you have a huge amount of connections that get abruptly closed your bandwidth could be limited until the connections expire. In normal circumstances that probably just means a small amount of additional background resources are getting wasted.
  
  source
SillyDude@lemmy.zip ⁨12⁩ ⁨hours⁩ ago

Android 16 introduced a bug

Security via poverty, like I can even run andriod 16 😎

source