Popular russian applications are now obligated to restrict access to their services for users with detected VPN connection or even report IP-addresses of detected VPNs. Like in many authoritarian regimes, Internet is unusable in Russia without VPN, and VPN became an essential tool even for ordinary citizens. Government instructs companies to use vulnerabilities in Android architecture to detect VPNs and VPNs IP addresses. Firstly, applications can get status of VPN connection easily using ConnectivityManager and NetworkCapabilities, and they can do that even from isolated private space. Applications can then restrict access to their services or even report the usage of VPN to the government - keep in mind that VPN usage itself is illegal in several countries. Secondly, applications can detect passwordless socks proxies on localhost, created by VPN apps, because access to localhost is unrestricted on Android and any application can try to connect to such a proxy and find VPN's IP. While this vulnerability is caused mostly by flaws in design of VPN applications and can be fixed on application level, the unrestricted access to localhost is a problem itself that was abused earlier by Yandex and Meta. It seems that Graphene's team is aware of this problem and wanted to fix it earlier, so I just want to remind about this problem and it's relevance.
Unfortunately, it seems that Graphene OS is not much better than any other AOSP-based system in terms of countering those vulnerabilities. VPN connection status can be checked by any app, and localhost attacks works fine even from private space. However, if network permission is disabled, localhost attack doesn't work, but these Russian apps are unusable without the Internet.
I propose adding a new app permission to read any VPN-related flags. If this permission is not granted by user, application will always see VPN as disabled, even if it's not true. Vulnerability to localhost attacks can be solved by adding separate toggle for internal networking as it was proposed previously.