Technology

84552 readers

4184 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

149

Any app on recent Android versions can leak certain traffic (mullvad.net)

submitted 18 hours ago by alakey@piefed.social to c/technology@lemmy.world

10 comments fedilink hide all child comments

A recently discovered bug in Android 16 allows any app to leak traffic outside the VPN tunnel.

The bug was reported to the Android Security Team, but was closed as Won’t Fix (Infeasible) [...] In contrast, GrapheneOS, a security-focused Android-based OS, quickly patched the issue in its codebase.

A mitigation is possible, but is quite technical in that it requires USB debugging to be enabled on the device in order to run the following Android Debug Bridge (adb) commands:

adb shell device_config put tethering close_quic_connection -1

adb reboot

top 10 comments

sorted by: hot top controversial new old

[–] carrylex@lemmy.world 3 points 7 hours ago

However, at the time of writing the issue is marked as inaccessible by Google for unknown reasons.

"Don't be evil"

[–] acido@feddit.it 10 points 11 hours ago (1 children)

This disables the QUIC graceful shutdown feature, and thus closes the leak. The mitigation will persist across reboots, but it may be undone by system updates, in which case the steps will need to be repeated.

Performing this mitigation means that the server-side QUIC socket will remain half-open until it times out, which should generally not negatively affect the Android device or apps running on it. However, only use the command at your own risk if you understand the implications.

does anyone know what are the implications of the fix proposed?

[–] ayyy@sh.itjust.works 7 points 10 hours ago (1 children)

It makes it harder to run big servers talking to android apps. Instead of them saying “I’m done, goodbye” they will just ghost the server. Then the server has to keep a connection open and waiting around to hear from you again even though you are done.

This isn’t a problem if a few people do it, but if everyone does it then servers could end up spending more time waiting on abandoned connections than doing real work.

[–] swab148@lemmy.dbzer0.com 3 points 8 hours ago

Well now I'm definitely doing it

[–] thisbenzingring@lemmy.today 43 points 15 hours ago (1 children)

LOL if that's the fix and the Android Security team won't fix it... jfc what a joke

I have a bunch of android based barcode scanners at work that we have to use adb to do some of the configuration setup. it's a powerful tool but it's not rocket science or anything more complicated than command line stuff

[–] Emotional_Engi@lemmy.zip 25 points 15 hours ago (1 children)

They won't fix the thing because they're ordered to do so. It's not a bug, it's a feature.

[–] BonkTheAnnoyed@piefed.blahaj.zone 14 points 14 hours ago (1 children)

Fixed in GrapheneOS fwiw

[–] MalReynolds@slrpnk.net 6 points 13 hours ago

It’s not a bug, it’s a feature.

They've copied gOS's homework one hell of a lot. They clearly don't want to do so here.

[–] MonkderVierte@lemmy.zip 1 points 8 hours ago* (last edited 7 hours ago)

Isn't QUIC long gone, merged into HTTP/3?

[–] timestatic@feddit.org 5 points 12 hours ago

Hope Lineage and /e/OS implement the fix soon as well