Bypassing Always-On VPN State in Android 7.0

Bypassing Always-On VPN State in Android 7.0

CVE-2016-3887 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:P/A:P

providers/settings/SettingsProvider.java in Android 7.0 before 2016-09-01 does not properly enforce the DISALLOW_CONFIG_VPN setting, which allows attackers to bypass an intended always-on VPN state via a crafted application, aka internal bug 29899712.

Learn more about our Cis Benchmark Audit For Google Android.