A critical security vulnerability in Android 16 allows any app to bypass VPN tunnels and leak user traffic, potentially exposing real IP addresses. The bug, which affects all VPN apps, was reported to Google but marked as 'Won't Fix' and the issue tracker has since become inaccessible. While GrapheneOS has patched the issue, the vulnerability remains unaddressed in mainstream Android, requiring technical workarounds for mitigation.
Background
VPNs are commonly used to protect user privacy by routing traffic through encrypted tunnels, hiding the user's real IP address. Android's 'Always-On VPN' feature is designed to ensure all traffic goes through the VPN tunnel for enhanced security.
- Source
- Lobsters
- Published
- May 12, 2026 at 08:04 PM
- Score
- 8.0 / 10