All android and iOS apps can see your VPN

A couple of weeks ago, Russian companies received a guideline document explaining how they can detect the presence of a VPN on a device. If a VPN is detected, they are required to fully restrict access to Russian platforms.

In this post, I will cover only 2 major android problems and 1 small iOS problem.

Android

tun0 NetworkInterface

All network interfaces are accessible to all apps on Android. U may say: “I am smart, i’ve installed VPN into separate profile/private space/shelter, so apps from main profile can’t see it”.

Yes, but.

U can try it right now with your VPN app! Install any terminal emulator into profile/private space that is not intended for vpn usage. Enable VPN in other profile and run this command:

curl --interface tun0 ipinfo.io/ip

tun0 here is just common network interface that is present only if VPN is enabled.

You will see your VPN address. No matter where VPN or terminal installed, you can always access all network interfaces.

I tested it with proton VPN on a pixel with GOS. Proton was open in private space, terminal in admin profile and second profile. I always saw proton IP.

Now imagine that your country fight against VPN and every app developed in your country legally obligated to run this command couple times a day, collect logs and send them to government. Oh, wait. You don’t need to imagine.

Russian apps can curl different IP checkers, foreign one, Russian one, use difderent network interfaces (wlan0), compare ip’s, do it multiple times a day, collect results of all such checks.

They can just ping Russian sites and YouTube (which is blocked) and check difference. So many possibilities.

Second phone or web app fix this problem.

Installed apps list

This is simple, any app can access all installed apps in your profile. Russian apps can just collect list of all VPN apps and then compare it against apps on your phone.

You’ve probably noticed that if you’ve ever set up local DNS filtering that runs a local VPN and lets you choose which apps the filtering applies to.

Private space or second profile fix this problem.

iOS

VPN flag

There not much info about iOS right now, but it has flag VPN_IS_ENABLED or something like that and every APP can see it.

This is enough for Russian apps and they can just not open.

They can’t see your VPN ip address as far as we understand.

Web app fix this problem.

So you get the IP of the VPN server?

This would be a big problem, because if its combined with other data, it can eassily identify someone

Yes i did. Proton was in private space, always-on VPN was enabled, block connections without VPN was enabled. Termux was in admin profile.

This works with any vpn app. It’s not a vpn app problem, it’s android design.

Update: idk if it’s ok to post links, but u can download this app and test if it can detect your vpn(it will make requests to 16 different domains, if it’s not okay for you, you can disable those ip checks in settings): GitHub - xtclovver/RKNHardering · GitHub

Since it’s targeting russian audience you might get some false-positive results. Just look at differences in real ip and vpn ip, direct- and indirect signs

I found another app that detects vpn presence only via android api, it doesn’t even need internet permission:

I didn’t think the ability to detect the presence of a VPN tunnel is a problem. The fact that some apps stop doing what they should do when they detect a VPN tunnel is worrying though. Perhaps ideally apps should not know whether a VPN is active or not and be agnostic about how its own traffic is routed.

Apps that enumerate all installed apps are a big problem. Some ways to mitigate this may be use only FOSS apps or add some sort of sandboxing.

If you are using vpn in one profile, then all apps in another profiles can detect 3 your ip’s:

1. Your wifi ip (wlan0 interface)

2. Mobile ip (rmnet0 interface)

3. VPN iP (tun0 interface)

So this number after tun/wlan/rmnet may vary, but any app can just try tun0, then try tun1, tun2, etc. There are no limits for them.

With 3 those ip’s you can be easy trackable across network.

I’m not sure what’s going on here, but I’m confused about exactly what you’re claiming. If you’re claiming that apps can see your actual IP even when using a VPN, I highly doubt that. A vulnerability that large would be all over the internet.

In Android you need to install and run a VPN in each profile you want the VPN to protect. This is well documented (although I agree maybe not the best UI / OPSEC design).

This is literally how VPNs work.

Am I missing something here? What exactly are you claiming?

EDIT: This is also the main reason to only run highly trusted, open source software. If you have malicious apps on your phone, that’s a vulnerability in itself.

I have already pointed out this huge flaw, but nobody seems to care, not even Graphene OS (they argue that any partial fix to fingerprinting is a lost cause, and that it is better to work on a VM - something which will take months/years)

Hopefully this pushes Google or at the very least to change their stance. what I would do is allow by default VPN apps and App Stores to access it, and the rest by consent. In any case should be revocable.

Everything being said here is true. It has been tested and proven by numerous people coming back to at least 3 years ago.

And it is. Governments already abuse this.

This isn’t how VPNs work. There are a ton of censorship evasion strategies involving policy based routing. It’s ignorant to say “that’s how VPNs are supposed to work”, you’re obviously not in a position to be judging how people should use their phones. You have 0 experience dealing with censorship to even understand the severity of such vulnerability.

Once again, heavily ignorant. I’m very confused about your stance. Why are you mad?

If you enable VPN in one profile - apps in ANOTHER profile can see that VPN is enabled and can see VPN IP.

In order to protect from that every profile and private space must have always on VPN enabled.

If even one profile has no VPN, then apps there can see every ip of running VPN’s.

There no “leaks” technically, because apps INSIDE profile with always on vpn enabled can’t see your real ip.

Edit:

Real world don’t run on highly trusted open source software. People are forced to use malicious apps everyday. This is why app sandbox must always evolve.

Every app must access such details by user explicitly giving access to that. Otherwise all malicious apps will become “vpn” and “app store”.
(Brave has it’s vpn inside browser so it’s VPN client from OS perspective)

Multiprofile strategy that so many people are parroting isn’t reliable without network namespace separation. I can say for certain that it’s only a matter of time until a western company like Meta will adopt this not so obscure fingerprinting method like they did with WebRTC.

I guess this is the only sensible conclusion that could be drawn from this by regular PG users from non censored countries.

While sing-box and mihomo has implemented app id/procname filtering, Android breaks PBR promises in so many ways it’s impossible to trust the OS. Without Google’s involvement, this is unfixable.

In an ideal world I agree. It should be noted that Android 17 now has an API for selecting app to be excluded from the VPN tunnel, so VPN apps might not need the app list anymore.

It depends who implement it. If GOS implements it, they would almost certainly have to allow it by default either for some apps (lot of effort to collect a list of all of those who need it) or some category of apps. If they don’t, it will lead to a lot of breaking.

But if Google does it, then yes they can just make it for every app.

As i understand this API exists in android for a long time, all VPN apps are using it. A17 just brings unified UI to it.

No, as I understand this means VPNs now don’t need to see your apps list to just exclude some specific apps. Could be wrong.

Maybe, lets wait for official release.

Anyway developers should utilize this API. Proton sells this as a feature so i don’t know if Proton will make it free for everyone.

RKS Global finally translated their research.

I think app from different profiles or spaces, should not see the IP address of VPN’s runing in different spaces/profiles.

Thanks for sharing this, and I think it highlights exactly why I’m asking for clarification about what you’re claiming. Because the article is claiming different things from what you’ve been claiming (and both you and this “research" article are claiming things that are dubious or misleading).

TL;DR - If you don’t install Russian spyware on your phone this is not an issue. (Like I was saying.)

In addition, there are several recommendations to mitigate the risk:

• The ideal option is to have two separate phones: one for Russian apps, and another - for everything else with VPN.

• VPN on a router. The VPN tunnel is created on the router; the phone connects via Wi-Fi.

EDIT: This is the same exact reason it’s good not to install ANY spyware in your phone including apps from Google, Meta, TikTok, etc.

EDIT: This is the same exact reason it’s good not to install ANY spyware in your phone including apps from Google, Meta, TikTok, etc.

It’s good, but not always possible. Let’s say in couple years these modern “ID check” apps will do same things like yandex, meta etc. and people won’t be able to open sites without this ID check app.

And everything what you will be able to do about it is just buy second phone or not use internet at all. This is not normal. Apps from one profile should not be able to see that VPN is enabled in another and especially should not see VPN IP.