Can Android apps use WebRTC, or is WebRTC only available in browsers?
If Android apps can use WebRTC, how can it be blocked per app or system-wide to prevent IP address leaks?
This could be a huge privacy risk, if you use android, VPN cannot help you to hide yourself from any app that use webrtc.
Definitely Android apps can use WebRTC, and basically any apps that do voice or video calling very likely do.
But more importantly, they don’t even need WebRTC, because they can open up any sockets and communicate anything, unlike the browser that’s more limited.
Like, any app with network permissions can just call out to any server, which will then have the IP of the client. WebRTC not required.
So yeah, you need all of the networking to go through a VPN to protect against this, if it’s important to you.
WebRTC isn’t magic. WebRTC does not bypass a VPN, nor is it the only–or even most common–way that software on your phone, Android or otherwise, can exfiltrate potentially sensitive information, intentionally or unintentionally. The way WebRTC on your phone might leak an IP is that during ICE, which is used by more than just WebRTC, the phone’s local IP addresses may be sent, and IPv6 addresses on your WiFi or cell connection may be globally unique. IPv4 local addresses will almost certainly be meaningless, private addresses due to IPv4 address space exhaustion, and any non-local address will be from your VPN gateway.
You cannot block ICE per app or system wide because it is not a system facility, and the permissions required to implement it on Android are not very specific.
Alway on vpn, block connections without vpn
