TL;DR
- security researcher @cybaqkebm found a bug on Android
- the bug allows apps to circumvent VPN tunnels, leaking user data
- the bug was reported to Android, with a proposed fix
- Android sais it wouldn't fix it
- The bug report mysteriously disappeared
- GrapheneOS already released a patched version
- advanced users can manually patch their Androids via USB debugging (adb code)
A new VPN leak that allows any app to leak traffic outside the VPN tunnel has recently been discovered by @cybaqkebm
Read more here:
https://mullvad.net/en/blog/any-app-on-recent-android-versions-can-leak-certain-traffic
That's not a security issue if the app you install bypass the vpn. It decides where and how it sends traffic, if it's already encrypted why use overhead encrypting it again
GrapheneOS already patched it so
I override android auto on mine so it can work with my radio, do I care if encrypted traffic from Spotify does not go through a vpn, its already encrypted and my play lists are not a matter of national security.
Allowing an app to bypass only bypasses that apps traffic, any financial app would not allow this due to regulatory requirements, etc. Not seeing the issue, if you think an app is going to disable you vpn for its own use and you don't feel secure as a result, dont use it. VPNs only prevent snooping, most sites use tls 1.2 or higher anyway, and browser give security warning for http traffic.