6 comments

[ 3.6 ms ] story [ 22.2 ms ] thread
(comment deleted)
"I reported this through the Android VRP. Apparently, it is not in their threat model."

According to Netguard logs UID 1000 "Dynamic System" appears to try to use the tunnel in an earlier Android version

Blocking UID 1000 connections, and blocking QUIC, has not caused any problems for me

Yet another example of the relative lack of user control, privacy, etc. in corporate mobile OS

Not to mention undesired "side effects" of default use of QUIC

> Blocking UID 1000 connections, and blocking QUIC, has not caused any problems for me

By design, the app sandbox isn't applied as strictly on "privileged apps" (like UID 1000). There's nothing NetGuard or any userspace app can do to shore that up. System/privileged apps can bypass most OS-enforced isolation mechanisms at will: https://github.com/celzero/rethink-app/issues/224

This is besides the fact that NetGuard doesn't (yet) support "Block connections without VPN" mode.

(comment deleted)
Honestly not sure if Proton or anyone else can fix this client-side on Android. Stuff like this is why people end up moving the VPN to the router.
"PERMISSION_SYSTEM" meaning you can bypass the VPN, with no option to override from the user, looks broken by design to me.