Credit: Calvin Wankhede / Android Authority
TL;DR
- GrapheneOS has patched an Android 16 VPN flaw that Google reportedly decided not to fix.
- The bug could let a malicious app leak small amounts of data outside an active VPN tunnel.
- In extreme cases, that means it’s possible stock Android users could have their IP address leaked, even with strict lockdown controls enabled.
A VPN that can leak your location is a pretty big failure of the tech at the best of times, but it’s especially concerning when Android’s lockdown controls exist to reassure you that it won’t happen. That’s the problem GrapheneOS has now addressed in Android 16, with a fix for a VPN flaw Google has reportedly decided to leave alone.
As reported by TechRadar, a security researcher going by lowlevel/Yusuf recently disclosed a bug nicknamed Tiny UDP Cannon. The issue affects Android 16 and can allow a regular app to leak a small amount of data outside an active VPN tunnel, potentially exposing your real IP address.
​Â
