A recently identified vulnerability in Android 16 compromises VPN protections by enabling apps to bypass always-on VPN configurations and leak users' real IP addresses. This undermines a critical layer of mobile privacy and security, potentially exposing sensitive device information without user awareness.
- Android 16 bug allows IP leaks despite VPN protections
- Issue affects all VPN types and always-on VPN settings
- No current evidence of exploitation but risk remains unresolved
Threat signal
The vulnerability in Android 16 affects the ConnectivityManager system service, which manages network connection states. A flaw allows apps to send signals directly to web servers that bypass the VPN tunnel, exposing the device’s real IP address even when VPN safeguards are enabled. This exposure undermines the fundamental privacy benefits that VPNs provide.
Unlike typical VPN bypass methods relying on user permissions or encryption weaknesses, this flaw is embedded in the operating system's core network stack. This makes it broadly applicable to any VPN type, regardless of encryption or configuration, increasing its potential impact on privacy-sensitive users.
Operator exposure
For organizations relying on VPNs to secure mobile endpoints and maintain geographic access controls, this vulnerability introduces a blind spot. Employees or devices using Android 16 may unknowingly expose real IP addresses, weakening network perimeters and location-based security policies. The issue could be exploited by covert applications that evade detection while leaking sensitive network metadata.
Google’s current position is to treat the issue as low priority and infeasible to fix immediately, potentially extending risk exposure. While Google Play Protect helps block known malicious apps, new threats remain possible, emphasizing the importance of layered security beyond VPN reliance for Android environments.
What teams should watch
Security and privacy teams should monitor Android OS update channels closely for patches or official guidance addressing this flaw. Meanwhile, enterprises may consider advising high-risk users to switch to alternative OS builds such as GrapheneOS that have implemented timely fixes, especially when strict privacy is vital.
Teams should assess existing mobile VPN policies and user endpoint configurations to identify potential exposures. Leveraging mobile device management to enforce app vetting and minimize installation of untrusted apps will mitigate risk. Awareness campaigns about the limitations of VPNs on Android 16 can reduce false security assumptions among users.