WebRTC is an innovation that allows real-time peer-to-peer (P2P) communication and file sharing within a browser. With WebRTC, there’s no more need to download apps (like Skype and Viber) or any browser plug-ins. In fact, Skype has ventured into WebRTC, so that tells you how WebRTC is changing the web communication industry.
You may be taking advantage of WebRTC already if you’re using Facebook products like Messenger, Facebook Live, Workplace by Facebook, and Instagram Live Video Chat. Then there’s also Amazon Alexa, Connect, and Mayday which are using the technology as well. However, it is with Google Hangouts where WebRTC has started it all.
Disabling WebRTC in Chrome for Android
This is all good, but there’s a downside: WebRTC poses a danger to VPN users. That’s because a browser needs to get the real IP address of the other browser it is communicating with. Even in the presence of a VPN, WebRTC can detect a user’s IP address by using a sophisticated technique.
As WebRTC is supported by most browsers (including Google Chrome for Android), IP leaks become a problem even if you’re using a VPN specifically for Android.
WebRTC leak tests
Here’s the test result of an Android device showing a partial WebRTC leak. As you can see, the device’s local IP address is shown:
The following image also shows a WebRTC leak. But this time, it looks like the VPN was able to handle it. Here, the VPN’s public IP address is shown:
We also used ExpressVPN’s WebRTC leak detector. The result is shown below:
While we are on the subject of VPN testing, it will be good for you to regularly test your VPN. A thorough VPN test helps avoid privacy risks like IP leaks, DNS leaks, and IPv6 leaks. Early detection of problems (if any) is better than learning about the issues after your data has been compromised.
How to disable WebRTC in Chrome for Android
While it’s scarier to see your actual IP address in the leak test result, all scenarios we described above are not ideal for your privacy.
Fun fact: WebRTC is far more likely to be used by a website to get your IP address than it is to enable real-time audio/video. Learn more about WebRTC and privacy from @shivan_kaul https://t.co/qppNJV66VO
— Mallory (@MalloryKnodel) July 25, 2018
This only shows that a leak is happening and that people with bad intentions can take advantage of this vulnerability.
Thankfully, there is a way to disable WebRTC in Chrome Android, unlike in other browsers where you have to rely on extensions.
Follow the steps below to disable WebRTC on Chrome for Android:
- Type in chrome://flags/ in the address bar.
- Type WebRTC on the search box to easily find all settings related to WebRTC.
- Look for WebRTC Stun origin header, and disable it. Note that some websites advise having this setting enabled. Our tests have shown that you must disable it.
- You may also disable WebRTC hardware video decoding and WebRTC hardware video encoding. If it makes you feel better, go ahead and disable all WebRTC-related settings there.
- Tap on Relaunch Now.
- Test for WebRTC leak again. We used BrowserLeaks. Although RTCPeerConnection and RTCDataChannel are still true, there’s no more IP address detection.
It’s the same result with ExpressVPN’s WebRTC test, as shown below:
Disabling WebRTC in other browsers
As previously mentioned, WebRTC is supported by most browsers, including Firefox, Opera, and Chrome for desktop.
While Chrome for Android has a built-in capability to disable WebRTC, for other browsers, it’s not as easy as that. Still, it’s possible to turn off WebRTC on other browsers.
To date, VPN providers have not yet developed any WebRTC leak prevention feature. As a VPN user, the burden of avoiding WebRTC leaks lies with you. Aside from disabling WebRTC in the browsers you use, the only thing to do for now is to choose a VPN provider that’s tested and proven.