惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Schneier on Security
F
Fortinet All Blogs
博客园_首页
The GitHub Blog
The GitHub Blog
V
Visual Studio Blog
D
DataBreaches.Net
aimingoo的专栏
aimingoo的专栏
爱范儿
爱范儿
B
Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
N
Netflix TechBlog - Medium
阮一峰的网络日志
阮一峰的网络日志
P
Proofpoint News Feed
D
Docker
Engineering at Meta
Engineering at Meta
大猫的无限游戏
大猫的无限游戏
The Cloudflare Blog
罗磊的独立博客
云风的 BLOG
云风的 BLOG
Microsoft Azure Blog
Microsoft Azure Blog
T
The Exploit Database - CXSecurity.com
博客园 - 三生石上(FineUI控件)
量子位
The Last Watchdog
The Last Watchdog
MyScale Blog
MyScale Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
The Blog of Author Tim Ferriss
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
小众软件
小众软件
Cloudbric
Cloudbric
博客园 - 司徒正美
H
Help Net Security
人人都是产品经理
人人都是产品经理
Application and Cybersecurity Blog
Application and Cybersecurity Blog
L
LangChain Blog
Latest news
Latest news
M
MIT News - Artificial intelligence
T
Threat Research - Cisco Blogs
博客园 - Franky
S
Security Affairs
W
WeLiveSecurity
F
Full Disclosure
Know Your Adversary
Know Your Adversary
Google DeepMind News
Google DeepMind News
The Hacker News
The Hacker News
Cyberwarzone
Cyberwarzone
美团技术团队
PCI Perspectives
PCI Perspectives
C
Check Point Blog
Spread Privacy
Spread Privacy

Forbes - Consumer Tech

This Unhackable Quantum Navigation System Is The Size Of A Loaf Of Bread Apple At 50 — A Leadership Shift And An AR Future We Are Under-Investing In Robotics ... 90% Of Humanoid Robots Are Made In China Ditch The Apple White: Beats Expands Colorful Cable Line-Up With New 10-Foot Option Satechi’s New ChargeView 140W Desktop GaN Charger With Real-Time Display The Hasselblad In Your Pocket: Oppo’s Find X9 Ultra Challenges The Galaxy S26 Ultra There's No Such Thing As Brain Honey How AI Agents Could Rebuild Fashion’s Visual Production Layer QClaw Goes Global. The Agent Built Itself In 5 Days Apple’s Tim Cook Exit Hides A $4 Trillion Agentic AI Power Move EZQuest Reveals A New Line Of Pro Series USB-C Hubs For MacBook Neo Samsung Galaxy Z TriFold 2 Already In The Works, Report Claims Apple Revealed New Siri Release Date For iPhone, Latest Report Claims How Arcani’s HARK Is Designed For Modern Battlefield Acoustics The Newest Trend In Tech Embraces Femininity And Fun Samsung’s 75R95H Ushers In A New World Of LCD TVs New Apple iPhone Fold Design Pushes Smartphone Rivals To Go Wider And Taller iPhone 18 Pro Report: Four New Colors Leak As Apple Cancels Popular Shade Nothing’s Design-Led Strategy: Carl Pei Reveals The Tech Brand’s Philosophy iOS 26.5 Release Date: When To Expect Your iPhone Messaging Upgrade Google Pixel And Highsnobiety Build A Talent Pipeline For Fashion Android Circuit: Samsung Raises Galaxy Prices, Oppo Pad Mini Teased, Microsoft Closing Outlook App Apple Loop: iPhone Fold Launch Dates, iPad Air Upgrade, iPhone 18 Pro Specs Comcast $117.5 Million Breach Settlement — Are You Eligible? Amazfit Cheetah 2 Pro Takes Aim At The Garmin Audience Disney’s Launches ‘Infinity Vision’ Certification For Premium Theaters SoundPeats Reveals New Air6 HS Semi-Open Wireless Earbuds Amazon’s $11.57 Billion Leap Into Space: A Challenge To Starlink Meta Quest 3 Hit With $100 Price Increase Backblaze Stops Backing Up Dropbox And Others—Calls It An Improvement ‘Technically Hard To Do’: Why Samsung’s Galaxy S26 Ultra Privacy Display Is A Global First Ulanzi Launches D200X Creative Deck To Challenge Logitech And Elgato Plugable’s New 10-In-1 USB-C Hub Has Most Of The Ports You’ll Need AI Solved A Mathematical Problem That Had Stumped The World’s Best Minds For Decades RØDE Announces A Slew Of New Podcasting Innovations At NAB 2026 Samsung SmartThings Gets Smarter, Safer And More Personal Apple Announces Events In Run-Up To TCS London Marathon Apple Now Largest Smartphone Maker. Also, Samsung Now Largest Universal Announces 8-Movie ‘Steven Spielberg: The Spotlight Collection’ 4K Blu-Ray Boxset Denon Unveils Versatile New Living Room AV Receiver Google Android PIN Hackers Target 800 Apps During Attack Surge Canva AI 2.0 Launches With New Features And Conversational AI Govee’s New $450 Lightwall Brings RGBIC Effects Indoors And Out New Garmin Watch Is One Of The Most Expensive Yet The One Catch To Samsung’s New AirDrop-Style Sharing On Galaxy S26 World-First: Humanoid Robot On Live Industrial-Scale Electronics Production Line Cadence Teams With Nvidia And Google To Redefine AI System Engineering Dolby Files Lawsuit Against Barco Over HDR Patents Apple To Bring Major Upgrade To iPad Air In Months, Report Claims iPhone Setting Update—Stop FBI From Accessing Deleted Signal Messages GoPro Mission 1 Levels Up Action Cameras But One Mystery Remains Adobe Brings Chat To Firefly AI Assistant Across Creative Cloud Apps Sky Eyes Up Ring With Standalone Smart Home Launch Orico’s New X50 Thunderbolt 5 Compatible Enclosure Offers High-Speed Fanless Storage How 2,000 Tons Of Sand Stores 100 Megawatt-Hours And Slashes Carbon Emissions 70% iPhone’s Hidden Strength In The Rush To Wide Foldable Smartphones New Samsung Galaxy Price Shock Is Bad News For 2026 Buyers Can The Power Of AI Help You To Chat With Your Cat? Inside China’s Push To Build Birdlike Drones Sky Glass Air All-In-One Budget TV With Seamless Access To Sky Channels Booking.com Confirms Data Breach, Reservation PIN Codes Changed Google, DressX And The New Fashion AI Virtual Try-On Stack Why Major News Sites Are Blocking The Internet Archive’s Wayback Machine iPhone Fold Release Date: New Report Details Frustrating Apple News Humanoid Robots’ 88% Fail Rate: Completing Home Tasks Why Your Next Smartphone Could Have Lower Specs And A Higher Price Apple iPhone Fold: Striking Design Revealed In Leaked Photos Here’s The Most Affordable Humanoid Robot You Can Buy Now Samsung’s Disappointing Price Update For Galaxy Phone Buyers Is It Time For Apple To Forget About The MacBook Air Oura Has Designed A Solution To A Big Smart Ring Problem Apple iPhone Fold: Striking Design Revealed In Leaked Photos Adobe Attacks Underway—Windows And Mac Users Given 72 Hours To Update iOS 26.4.1 Release: Crucial iPhone Feature Update Arrives, But No Security Fix Can’t Stand Liquid Glass? This New Hidden iPhone Setting Is A Game-Changer Android Circuit: Galaxy S27 Pro Emerges, Honor 600 Pre-Order Offers, Pixel 11 Display Leaks Apple Loop: iPhone 18 Pro Leak, Urgent iOS Update, MacBook Neo Issues The Costly Dream Of Space-Based AI Infrastructure Adobe Attacks Underway—Windows And Mac Users Given 72 Hours To Update New Google Security Warning For Android 14, 15 And 16 Users—Update Now Fosi Launches CD Player With Built-In DAC And Headphone Amplifier The Shift From Place To Performance In Workplace Design Dyson Just Launched A $99 Gadget: Meet The HushJet Mini Cool Fan Apple iOS 26.4.1 Unexpected New iPhone Software: Should You Upgrade? LG Announces All U.K. And Some U.S. Pricing For Its 2026 TV Range Google Brings New 2FA Bypass Protection To Chrome For Windows Users iOS 26.4.1 Release: Crucial iPhone Feature Update Arrives, But No Security Fix SiFive's $400M Round Signals A RISC-V Moment In AI Data Centers Google Issues Critical Update Alert For 3.5 Billion Chrome Users Apple Vision Pro Gets A Major Gaming Upgrade Disney Announces ‘Alice In Wonderland’ 4K Blu-Ray, Featuring An All-New 4K Restoration Surprise Galaxy S27 Leak Gives Samsung New Options Aqara Thermostat Hub W200: Matter Controller With Smart Heating Skills Now On Sale AI Transformation: No-One’s At The Wheel, Says 500-Company Study Insta360 Launches Screen For Taking Selfies With A Phone’s Rear Camera Apple iPhone Fold Gets New Release And Screen Confirmation Angry Hacker Drops Microsoft Zero-Day Exploit, 1 Billion Users Warned Artemis II Just Dropped Stunning Wallpapers For Your Phone Or PC New Amazon Hack Attack—Alert For 300 Million Users Apple’s 2026 Shake-Up: iPhone 18 Pro Leaks While iPhone Fold Steals The Show
New Android 16 VPN Bypass Confirmed—And There’s No Fix From Google
Davey Winder · 2026-05-15 · via Forbes - Consumer Tech
The Google Android 16 logo is seen on a smartphone.

Google Android 16 bug leaks info from all VPN apps.

SOPA Images/LightRocket via Getty Images

Updated May 15: This article, originally published May 14, has been updated with a statement from a Google spokesperson regarding the Android 16 vulnerability that allows a malicious app to bypass VPN protections, regardless of which VPN you use or how strict your Android device’s VPN configuration settings are. Details of iOS VPN limitations have also been added to help iPhone users be aware.

A security researcher has published a technical paper detailing how Android 16 has introduced a bug that essentially bypasses VPN protections, affecting all VPN apps. Whether you have enabled the “Always-On VPN” or “Block connections without VPN” settings is immaterial; Android 16 can still leak traffic outside of the VPN protected tunnel. This means that your real IP address is visible on the internet, with all the potential for tracking and surveillance issues that come with it. But here’s the kicker: the researcher reported the bug through the Android Vulnerability Reward Program only for Google to close the issue and mark it as “Won’t Fix” for falling outside of the threat model.

ForbesGoogle Targets Caller ID Spoofing As Scam Losses Reach $980 Million AnnuallyBy Davey Winder

The Android 16 VPN Vulnerability Explained

My attention was drawn to the issue when Yusef, a security researcher based in Zurich who goes by the X handle of @cybaqkebm, posted a simple statement: “Turns out ‘Always-On VPN’ and ‘Block connections without VPN’ features on Android aren't that reliable.” The link in the tweet led me to a highly technical report detailing an Android 16 VPN bypass. The gist of it is that the two settings mentioned, meant to be a hard guarantee that no information will leave your device outside of the established VPN tunnel, are nothing of the sort.

Given that Google has previously warned about the dangers of malicious VPNs and advised users to “only download VPN apps from official sources, and check for apps with the VPN badge in Google Play,” you might think that this would be something that it would take very seriously indeed. Yet, Yusef has confirmed, after reporting the vulnerability through the Android VRP, “apparently, it is not in their threat model.” Indeed, the issue was closed as Won’t Fix (infeasible) and, according to a Mullvad VPN alert, the app vendor has also now reported the issue on the Android issue tracker. This is an important point, as Mullvad noted the vulnerability “affects all VPN apps” on the Android 16 platform.

MORE FOR YOU

The TL;DR technical overview is, Yusef said:

A Binder method on ConnectivityManager, registerQuicConnectionClosePayload, accepts an arbitrary byte buffer and a UDP socket from any caller with INTERNET and ACCESS_NETWORK_STATE (both auto-granted). When the registered socket dies, system_server sends the buffer on the socket’s original network. No permission check, no payload validation, no awareness of the VPN-lockdown state of the calling UID. With one slightly cute trick to slip past the fwmark server, an attacker app can use that primitive to leak the user’s real IP past an active VPN.

In other words, a malicious app can send traffic outside the VPN tunnel, regardless of what VPN app you are using or how strict your Android 16 VPN configuration is.

A Google spokesperson provided me with the following statement: "This issue only affects devices that have downloaded a malicious app. Android users are automatically protected against known malicious apps by Google Play Protect."

OK, so ensuring that you never install a malicious app on your device would be the primary mitigation against falling victim to this Android 16 vulnerability, seems to be the advice from Google. Which is, of course, good as far as it goes. But the problem here is that Google Play Protect means, as the Google statement admits, that users are only “automatically protected against known malicious apps.” That doesn’t mean a lot if unknown malicious apps get into the Play Store and are downloaded 7.3 million times before it is noticed that they are dangerous and removed, as I reported on May 10.

Given that malicious app avoidance isn’t a given, if you see what I mean, the only current mitigation would appear to be as follows: the user must manually amend a DeviceConfig setting. Something, dear reader, that I would not recommend most users attempt. As Yusef warned, “Use it only if you understand the implications and on your own risk.” Actually, there is another mitigation: switch to Graphene OS, as it has already resolved the issue. Again, not something most users will want to do.

And before you start to think that maybe an iPhone is the answer, there’s some bad news on that front as well. A reader contacted me to say that they had seen this article and that “This is the same as Apple, where they have now actually updated their privacy information to state that some resolution may take place outside of the VPN.” Investigating this further, I discovered this in, indeed, the case. In a December 12, 2025 VPNs and privacy legal posting, Apple confirmed that “not all your device’s network traffic will be routed through an active VPN.” The legal statement went on to state that “if an app developer specifies a required type of connection for their app, such as mobile data only, network traffic from that app is excluded in active VPN configurations. On iOS, iPadOS and visionOS devices, your VPN provider can choose to override this choice and prevent most apps, services and system functions from routing network traffic outside of an active VPN configuration.”

As for Android, it’s over to Google to see whether the “won’t fix” Android 16 vulnerability response will be amended. If not, it won’t be the first Google security gaffe, but let’s hope that media and app vendor pressure can come to bear in this case.