By Davey Winder
Publication Date: 2026-05-15 11:14:00
Updated May 15: This article, originally published May 14, has been updated with a statement from a Google spokesperson regarding the Android 16 vulnerability that allows a malicious app to bypass VPN protections, regardless of which VPN you use or how strict your Android device’s VPN configuration settings are. Details of iOS VPN limitations have also been added to help iPhone users be aware.
A security researcher has published a technical paper detailing how Android 16 has introduced a bug that essentially bypasses VPN protections, affecting all VPN apps. Whether you have enabled the “Always-On VPN” or “Block connections without VPN” settings is immaterial; Android 16 can still leak traffic outside of the VPN protected tunnel. This means that your real IP address is visible on the internet, with all the potential for tracking and surveillance issues that come with it. But here’s the kicker: the researcher reported the bug through the Android Vulnerability Reward…




