A recently discovered bug in Android 16 allows any app to leak traffic outside the VPN tunnel.

A recently discovered bug in Android 16 allows any app to leak traffic outside the VPN tunnel.

The bug was reported to the Android Security Team, but was closed as Won’t Fix (Infeasible) […] In contrast, GrapheneOS, a security-focused Android-based OS, quickly patched the issue in its codebase.

A mitigation is possible, but is quite technical in that it requires USB debugging to be enabled on the device in order to run the following Android Debug Bridge (adb) commands:

adb shell device_config put tethering close_quic_connection -1

adb reboot

  • acido@feddit.itEnglish
    14·
    4 days ago

    This disables the QUIC graceful shutdown feature, and thus closes the leak. The mitigation will persist across reboots, but it may be undone by system updates, in which case the steps will need to be repeated.

    Performing this mitigation means that the server-side QUIC socket will remain half-open until it times out, which should generally not negatively affect the Android device or apps running on it. However, only use the command at your own risk if you understand the implications.

    does anyone know what are the implications of the fix proposed?

    • ayyy@sh.itjust.worksEnglish
      14·
      3 days ago

      It makes it harder to run big servers talking to android apps. Instead of them saying “I’m done, goodbye” they will just ghost the server. Then the server has to keep a connection open and waiting around to hear from you again even though you are done.

      This isn’t a problem if a few people do it, but if everyone does it then servers could end up spending more time waiting on abandoned connections than doing real work.