[Question] Update Risks on Desktop and Mobile

[issuant]

I have checked if others have suggested this already

• I have checked this issue tracker to see if others have reported similar issues.

Feature description

What happens when the app is being updated while the device is connected to the internet? Does the kill switch kick in or are such protections removed during the update process, introducing privacy risks?

Alternative solutions

n/a

Type of feature

• Better privacy/anonymity
• Better at circumventing censorship
• Easier to use
• Other

Operating System

• Android
• iOS
• Windows
• macOS
• Linux

[dlon]

Hello! Yes, the desktop app does block during upgrades while the tunnel is down. Android should also prevent leaks if you have enabled "Block connections without VPN"

[Ammako]

Yes, the desktop app does block during upgrades while the tunnel is down.

Yeah... that's absolutely not true.

I run the updater, it stalls and fails to update, during which the app is force closed, the tunnel is killed, and lockdown mode is not in effect anymore. Firefox fails to connect to websites during that time, but everything else just connects outside of the VPN... so, massive leak.

The updater needs to be run a second time afterwards, then it succeeds and lockdown mode gets properly applied again.

[issuant]

but everything else just connects outside of the VPN

@dlon Please reopen. This is a massive problem.

[dlon]

@Ammako

Thank you for telling us! We take leaks very seriously.

I tried reinstalling the app on Windows and couldn't produce any leaks outside the tunnel that were visible in Wireshark, except to the Mullvad API. Note that the system service reconnects after the upgrade even if the GUI is not restarted.

Would you like to provide some more information on how you observed the leaks? As well as OS version, app version, etc.

Edit:

I run the updater, it stalls and fails to update

It is true that it may unblock if the installer fails to update after removing the old version. It should display an error message to that effect before actually unblocking anything. Is this what you are referring to?

[Ammako]

I'll make a recording later.

It is true that it may unblock if the installer fails to update after removing the old version. It should display an error message to that effect before actually unblocking anything. Is this what you are referring to?

It kills the app very soon after it tries to update, the wireguard tunnel doesn't exist in Network Connections anymore, everything is unblocked. Several moments later, it complains that it wasn't able to close the running app and that it can't update. Everything remains unblocked until I re-run the updater a second time, where it installs correctly and sets up the tunnel again.

FreeTubeApp/FreeTube#3324
signalapp/Signal-Desktop#7015

Same thing with them, it doesn't happen to everyone and nobody's ever figured out the problem. It's not a big problem for them, but for Mullvad, it's a big problem if it can't keep lockdown mode active until it successfully reinstalls.

[Ammako]

Can I share the recording via email?

A possible workaround would be to use socks5 proxy system-wide, then connections will fail if mullvad isn't running. but Firefox kinda breaks on Windows if socks5 proxy is set up, and there's no way to exclude apps from the proxy (and I don't want to have to rely on some third party proxy software either.)

[issuant]

nobody's ever figured out the problem

This is no fix but until this is sorted, if it can even be sorted, should the updater warn that airplane mode should be turned on until after the update is successfully applied?

[issuant]

This unfortunately disappeared due to a Github issue but now it is back. Can this be reopened?

[dlon]

Let's reopen it for now.

@Ammako You can try to email a video/video link to [email protected] or send a link here and I'll have a look.

[Ammako]

2025-01-26.08-33-39.mp4

[dlon]

@Ammako Thank you! It should definitely warn before unblocking least. I've added this to our backlog.

There are two things going on here. One is that the installer fails to remove the old version. The other is that it doesn't warn you if it fails and unblocks everything.

If you're interested in figuring out the first part, you could use https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer to see which process has some handle open to something in (probably) C:\ProgramData\Mullvad VPN or C:\Program Files\Mullvad VPN.

[Ammako]

That would help, if there were even any files left behind when it claims to be unable to uninstall the previous version. These directories don't exist anymore, and there are no file handles open for anything containing "mullvad" or "uninstall."

[Ammako]

So the proxy helps a bit, but of course, not everything respects system proxy settings and there isn't a way to enforce that everything must respect system proxy settings, so be aware.