2

This is the first time I am using a VPN on my stock Android device. I bought VPN Unlimited mainly because it was on sale and without evaluating competitor products

I was playing around with it and it does mask the external IP well on any location I choose. But my concern is with Device IP/Local IP. That does not get masked as you can see from snapshots below (Open VPN Protocol).

This is from the device IP as shown in the app:

enter image description here

These are from webkay and Browser leaks. As you can see Device IP/Local IP are not masked and are clearly visible.

enter image description here enter image description here

I have read these (and understood at a high level since I am not familiar with VPN security aspects):

  1. How can you be caught using Private VPN when there's no logs about who you are?
  2. How can meta data be used to identify users through chained VPNs?

Questions

  • Is this expected behavior of VPNs?
  • Is it a concern or risk? (The 2nd question above seems to indicate that it is indeed so.)
  • Should I be concerned, considering my usage pattern (which is occasional banking, shopping and maybe in the future visiting restricted sites if need be)?

I have written to VPN Unlimited and so far they have not given a clear reply. This makes me more suspicious and hence thought of asking here

beeshyams
  • 151
  • 8
  • `HTTP` (webkay) and `HTTPS` (browser leaks) *both* reveal the local IP , so that rules out one possibility for IP being exposed – beeshyams Jan 04 '18 at 15:42

1 Answers1

1

You mention different threat models: does it matter if a banking/shopping website can use this information to identify you? Probably not, because you are likely logging in with an account that is already tied to your identity, payment information, home address etc. However, regarding "restricted sites", where you might be trying to hide your identity, this leaked information could reduce your anonymity.

The information leak is not characteristic of VPNs—the VPN is operating on a different/lower layer; it does not control or affect what code you allow to run on your device (unless the VPN provider is actively modifying your traffic—bad). Code that runs on your device, JavaScript, WebRTC-related, or otherwise, can access device APIs that provide information such as location, interface IP addresses, browser/OS information, battery state etc. So VPN or no VPN, this information can be accessed. This leak can only be resolved by changing browsers or browser settings, and there are certain web browsers and browser extensions that are designed to help with this, usually by disabling the features or providing false information.

In the webkay screenshot you posted, there is information that may help you disable these forms of tracking; disabling JavaScript and WebRTC is a good start. However, VPNs aren't truly designed to provide anonymity, although they may help to a degree. Solutions such as the Tor network and the Tor browser bundle are designed for anonymity and privacy and may be a better choice in this case.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
  • What I mean is that the VPN is operating on a different layer; it does not control or affect what code you allow to run on your device. Code that runs on your device, JavaScript or otherwise, can access device APIs that provide information such as location, interface IP addresses, OS information, battery state etc. So VPN or no VPN, this information can be accessed. This leak can only be resolved by changing browsers or browser settings, as mentioned. This is why using the Tor browser or using NoScript may be a good idea. – multithr3at3d Jan 05 '18 at 15:37
  • 1
    Updated answer. – multithr3at3d Jan 05 '18 at 20:03
  • Validated answer by using Privacy Browser that plugs the leaks mentioned and local IP didn't show up – beeshyams Jan 06 '18 at 04:03