Context: In recent months, the Russian government has aggressively stepped up its efforts to censor the Internet. This has made it hard for Russian residents to access a broad range of resources, including independent and foreign news websites, non-state-controlled platforms like Instagram and YouTube, and messaging apps like Telegram and WhatsApp. At times, depending on how aggressive the censors behave (it varies), most of the popular internet resources can be unavailable.
In response, tens of millions of people in Russia have been taking to VPNs in order to continue accessing Internet resources they want. This is a problem for the Russian government's censorship efforts. As a result, the state has now started coercing Russian businesses (banks, e-commerce platforms, ridesharing services, etc.) to block users from accessing their apps if those apps can detect that the user may be running a VPN on their device. On top of that, if the state-mandated spyware in those apps detects a VPN being active, it can report the VPN server's IP address to the government, and it can get blocked.
Android in particular has been reported to be a platform where the system APIs make it relatively straightforward to detect the user as potentially using a VPN, even if the spyware-containing app is excluded from the VPN via split tunneling. For concrete reports of this, see this GitHub thread from AmneziaWG (note: Amnezia is a fork of WireGuard popular in Russia; it obfuscates WireGuard packets, making it harder for automated systems to detect and block VPN traffic). In short, a hostile app can detect the IP mismatch using the tun0 interface, and use that as a heuristic to determine that the user is running a VPN.
Someone published a proof of concept Android app that can perform this check and show the results to the user, RKNHardening. This detection mechanism works even across Android profiles. As in, if a user wants to be cautious, and puts all the spyware-containing Russian apps that they need to use (e.g. from their bank) in one profile that doesn't use a VPN, but has another profile for "clean", blocked apps that is running a VPN, a hostile app can still detect a VPN being active in a different profile.
I was wondering, given GrapheneOS's hardening, whether using a separate profile on it vs stock Android would prevent that. Unfortunately, an article came out today from Meduza (an independent Russian-language publication), and it's bad news. GrapheneOS is susceptible:
We conducted an experiment on an Android device with GrapheneOS. We created two extra user profiles on the same phone. In theory, they should be maximally isolated from each other. On one [profile], we installed a VPN app and turned it on. On the second we installed RKNHardening [the app I linked above] and launched a check. As a result, we found the network interface of the VPN app from the other profile, and found out its IP address.
(translation mine, original quote in Russian below):
Мы провели эксперимент на андроиде с GrapheneOS. Создали на одном телефоне два дополнительных пользовательских профиля. В теории они максимально изолированы друг от друга. В первом установили VPN-приложение и включили его. Во втором установили RKNHardering и запустили проверку. В результате нашли сетевой интерфейс VPN-приложения из другого профиля — и узнали его IP-адрес.!<
(original link to the article in Russian
In theory, can anything be done by GrapheneOS's developers to prevent VPN network interfaces from leaking across profiles, or is the exploitable behavior too deep within AOSP itself?
summary: Android apps can detect if a user is using a VPN, it works across profiles, even on GOS, and the Russian government can use that to restrict or block VPN usage. Can GrapheneOS do anything to close this vulnerability?