Any app on recent Android versions can leak certain traffic (mullvad.net)

submitted 2 days ago by Lemmynated@lemmy.zip to c/technology@lemmy.zip

5 comments fedilink hide all child comments

A recently discovered bug in Android 16 allows any app to leak traffic outside the VPN tunnel.

The bug was reported to the Android Security Team, but was closed as Won’t Fix (Infeasible) [...] In contrast, GrapheneOS, a security-focused Android-based OS, quickly patched the issue in its codebase.

A mitigation is possible, but is quite technical in that it requires USB debugging to be enabled on the device in order to run the following Android Debug Bridge (adb) commands:

adb shell device_config put tethering close_quic_connection -1

adb reboot

top 5 comments

sorted by: hot top controversial new old

[-] massive_bereavement@fedia.io 19 points 2 days ago

Yeah, haha sure, a bug... 🙄

[-] WhatAmLemmy@lemmy.world 6 points 2 days ago

"We're sorry" ((rubs nips))

[-] acido@feddit.it 8 points 2 days ago* (last edited 2 days ago)

nice, gonna use the fix as soon as I get home.

EDIT:

This disables the QUIC graceful shutdown feature, and thus closes the leak. The mitigation will persist across reboots, but it may be undone by system updates, in which case the steps will need to be repeated.

Performing this mitigation means that the server-side QUIC socket will remain half-open until it times out, which should generally not negatively affect the Android device or apps running on it. However, only use the command at your own risk if you understand the implications.

anyone knows the implications of this?

[-] MagicDonkey@lemmy.dbzer0.com 4 points 2 days ago

My guess is if the server side connection stays half open it would mean the server is still sending data to your device after its closed the connection causing that data to essentially get sinkhole'd.

Maybe in some extreme examples if you have a huge amount of connections that get abruptly closed your bandwidth could be limited until the connections expire. In normal circumstances that probably just means a small amount of additional background resources are getting wasted.

[-] SillyDude@lemmy.zip 3 points 2 days ago

Android 16 introduced a bug

Security via poverty, like I can even run andriod 16 😎

this post was submitted on 12 May 2026

65 points (100.0% liked)

Technology

6770 readers

3 users here now

News community around technology, social media platforms, information technology and governmental policy surrounding it.

What doesn't fit here?

The core of the story has to be technology focused.

If article mentions "AI" in a sentence and then talks about business economics that doesn't make it tech news.
Gaming is too many layers removed from technology. There are many dedicated communities that are a better fit for it.
Transporation is too many layers removed from technology. EVs while use many cool technologies have many dedicated communities that are a better fit for it.
Entertainment is too many layers removed from technology. While sometimes it can fit here, business or cultural aspects of it are a better fit for dedicated communities.
Cybersecurity. While it heavily focuses on technology, most of the time it's too technical for most people who are not already invested in it. Should be posted in a dedicated communities unless it has broader connection to other tech areas.

Post guidelines

Title format

Post title should mirror the news source title. If you don't like the title of article, look for an alternative source instead of editorializing it.

URL format

Post URL should be the original link to the article (even if paywalled) and archived copies left in the body. It allows avoiding duplicate posts when cross-posting.

[Opinion] prefix

Opinion (op-ed) articles must use [Opinion] prefix before the title. Opinion articles refer to articles that their publisher doesn't explictly endorse.

Country prefix

Country prefix can be added to the title with a separator (|, :, etc.) if the news is from a local publisher who doesn't clearly mention the country.

Rules

1. English only

Title and associated content has to be in English.

2. Use original link

Post URL should be the original link to the article (even if paywalled) and archived copies left in the body. It allows avoiding duplicate posts when cross-posting.

3. Respectful communication

All communication has to be respectful of differing opinions, viewpoints, and experiences.

4. Inclusivity

Everyone is welcome here regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.

5. Ad hominem attacks

Any kind of personal attacks are expressly forbidden. If you can't argue your position without attacking a person's character, you already lost the argument.

6. Off-topic tangents

Stay on topic. Keep it relevant.

7. Instance rules may apply

If something is not covered by community rules, but are against lemmy.zip instance rules, they will be enforced.

Companion communities

!globalnews@lemmy.zip
!interestingshare@lemmy.zip

Icon attribution | Banner attribution

If someone is interested in moderating this community, message @brikox@lemmy.zip.

founded 2 years ago

MODERATORS

BrikoX@lemmy.zip