Any app on recent Android versions can leak certain traffic
A recently discovered bug in Android 16 allows any app to leak traffic outside the VPN tunnel.
The bug was reported to the Android Security Team, but was closed as Won’t Fix (Infeasible) [...] In contrast, GrapheneOS, a security-focused Android-based OS, quickly patched the issue in its codebase.
A mitigation is possible, but is quite technical in that it requires USB debugging to be enabled on the device in order to run the following Android Debug Bridge (adb) commands:
adb shell device_config put tethering close_quic_connection -1
adb reboot
https://mullvad.net/en/blog/2026/5/12/any-app-on-recent-android-versions-can-leak-certain-trafficOpen linkView original on piefed.social171
Comments10
LOL if that's the fix and the Android Security team won't fix it... jfc what a joke
I have a bunch of android based barcode scanners at work that we have to use adb to do some of the configuration setup. it's a powerful tool but it's not rocket science or anything more complicated than command line stuff
They won't fix the thing because they're ordered to do so. It's not a bug, it's a feature.
Fixed in GrapheneOS fwiw
They've copied gOS's homework one hell of a lot. They clearly don't want to do so here.
does anyone know what are the implications of the fix proposed?
It makes it harder to run big servers talking to android apps. Instead of them saying “I’m done, goodbye” they will just ghost the server. Then the server has to keep a connection open and waiting around to hear from you again even though you are done.
This isn’t a problem if a few people do it, but if everyone does it then servers could end up spending more time waiting on abandoned connections than doing real work.
Well now I'm definitely doing it
Hope Lineage and /e/OS implement the fix soon as well
"Don't be evil"
Isn't QUIC long gone, merged into HTTP/3?