https://habr.com/ru/articles/1020080/
This problem affects most of Russia. The Ministry of digital "development" is now actively requiring all services (banks, marketplaces, and so on) to introduce a system that will track the source IP of the VPN and send it to Roskomnadzor, which handles all censorship in the country. So, in fact, almost any popular Russian application will become spyware.
Title: Critical Vulnerability: Unauthenticated local SOCKS5 proxy leaks exit IP and bypasses split tunneling
Description:
NekoBox currently runs a local SOCKS5 proxy without authentication. This creates a critical privacy flaw allowing malicious apps or state-sponsored spyware to entirely bypass VpnService per-app split tunneling.
Since the loopback interface (127.0.0.1) remains accessible even within Android private spaces (Knox, Shelter, Island), any app can scan standard localhost ports, connect directly to the open SOCKS5 proxy, and expose the real exit IP of the VPN server. Censors are actively weaponizing this exact method to discover and block personal VPN nodes.
Proof of Concept (PoC):
Per-app split tunneling bypass: https://github.com/runetfreedom/per-app-split-bypass-poc
Advanced VPN port detector: https://github.com/cherepavel/VPN-Detector
Proposed Solution:
Implement mandatory username/password authentication for the local SOCKS5 proxy.
Forcefully disable UDP routing whenever SOCKS5 authentication is enabled, as the SOCKS5 protocol specification fundamentally does not authenticate UDP traffic, leaving the leak open if UDP remains active.
https://habr.com/ru/articles/1020080/
This problem affects most of Russia. The Ministry of digital "development" is now actively requiring all services (banks, marketplaces, and so on) to introduce a system that will track the source IP of the VPN and send it to Roskomnadzor, which handles all censorship in the country. So, in fact, almost any popular Russian application will become spyware.
Title: Critical Vulnerability: Unauthenticated local SOCKS5 proxy leaks exit IP and bypasses split tunneling
Description:
NekoBox currently runs a local SOCKS5 proxy without authentication. This creates a critical privacy flaw allowing malicious apps or state-sponsored spyware to entirely bypass VpnService per-app split tunneling.
Since the loopback interface (127.0.0.1) remains accessible even within Android private spaces (Knox, Shelter, Island), any app can scan standard localhost ports, connect directly to the open SOCKS5 proxy, and expose the real exit IP of the VPN server. Censors are actively weaponizing this exact method to discover and block personal VPN nodes.
Proof of Concept (PoC):
Per-app split tunneling bypass: https://github.com/runetfreedom/per-app-split-bypass-poc
Advanced VPN port detector: https://github.com/cherepavel/VPN-Detector
Proposed Solution:
Implement mandatory username/password authentication for the local SOCKS5 proxy.
Forcefully disable UDP routing whenever SOCKS5 authentication is enabled, as the SOCKS5 protocol specification fundamentally does not authenticate UDP traffic, leaving the leak open if UDP remains active.