The Tiny UDP Cannon An Android VPN Bypass

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://lowlevel.fun/posts/tiny-udp-cannon-android-vpn-bypass/
• Blog Title: The Tiny UDP Cannon: An Android VPN Bypass
• Suggested Section: Mobile Pentesting -> Android Applications Pentesting -> Android VPN / Network Policy Bypass, or a new subsection under Android Applications Pentesting about Binder/hidden API abuse and VPN lockdown bypasses

🎯 Content Summary

The post analyzes The Tiny UDP Cannon, an Android 16 VPN lockdown bypass where a regular Android application can leak the user’s real public IP even when Always-On VPN and Block connections without VPN are enabled. The attacker app does not directly send the bypass packet. Instead, it registers attacker-controlled UDP bytes and socket metadata through Android’s hidden QUIC graceful-close API, then exits. When the socket is destroyed, sy...

🔧 Technical Details

Confused-deputy network send via privileged system services: If an unprivileged caller can give a privileged service both socket metadata and attacker-controlled bytes, and the service later recreates the socket as a privileged UID, it can bypass network policies that only apply to the original caller. In this case, Android’s registerQuicConnectionClosePayload(pfd, payload) stores the original socket’s netId, source, destination, caller UID, and payload. On SOCK_DESTROY, system_server UID 1000 sends the payload with network.bindSocket(socket). Because system UIDs receive PERMISSION_SYSTEM, they bypass VPN lockdown checks that would block the original app UID.

Protocol-specific API becoming a generic payload cannon: Any API designed to send a specific protocol frame can become an arbitrary data exfiltration primitive if it accepts raw bytes and does not v...

🤖 Agent Actions

Done.

Updated:

• src/mobile-pentesting/android-app-pentesting/android-applications-basics.md

Added:

• A new Binder-focused subsection on hidden API abuse via direct IBinder.transact()
• The privileged confused-deputy pattern behind VPN/network-policy bypasses
• The bind() vs Network.bindSocket() metadata-shaping trick
• Practical triage and defensive review notes
• References to the blog post and PoC

Validation:

• Reviewed diff
• Confirmed ## References remains at the end
• Confirmed final banner include is intact

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://lowlevel.fun/posts/tiny-udp-cannon-android-vpn-bypass/

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting -> Android VPN / Network Policy Bypass, or a new subsection under Android Applications Pentesting about Binder/hidden API abuse and VPN lockdown bypasses".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0