Meta's WhatsApp app under certain network conditions will try to bypass Android VPN settings using Google Public DNS servers even when (a) the OS settings "Always-on VPN" and "Block connections without VPN" are enabled, (b) port 53 is forwarded to a local address,^1 (c) DNS settings under "Network details" for the router point to local addresses only and (d) "Mobile data" is disabled for the SIM and the phone has no access to cellular data (e.g., MMS will fail)
Even the Google pre-installed system apps don't do this
Meta's attempts to conduct surveillance go further than ignoring the sec-gpc header. Meta tries to bypass Android's built-in VPN and the system DNS settings
I use a computer I can reasonably control, i.e., one running an OS I compiled myself, as the gateway for the phone so traffic destined for 8.8.8.8 and 8.8.4.4 is blocked by the gateway's firewall. (TLS forward proxy on the gateway also adds sec-gpc header to all HTTP/HTTPS traffic^2)
1. For example, using PCAPDroid or NetGuard
2. In addition to HTTPS traffic, Meta's WhatsApp app sends some requests over unencrypted HTTP, too, e.g., destined for c.whatsapp.net
Even the Google pre-installed system apps don't do this
Meta's attempts to conduct surveillance go further than ignoring the sec-gpc header. Meta tries to bypass Android's built-in VPN and the system DNS settings
I use a computer I can reasonably control, i.e., one running an OS I compiled myself, as the gateway for the phone so traffic destined for 8.8.8.8 and 8.8.4.4 is blocked by the gateway's firewall. (TLS forward proxy on the gateway also adds sec-gpc header to all HTTP/HTTPS traffic^2)
1. For example, using PCAPDroid or NetGuard
2. In addition to HTTPS traffic, Meta's WhatsApp app sends some requests over unencrypted HTTP, too, e.g., destined for c.whatsapp.net