The tracking technique described at https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/ is prevented by Vanadium's default "Disabled non-proxied UDP" value. It's also prevented by "Default public interface only", which does permit peer-to-peer connections but won't try to use the loopback interface for it.

We have a list of most of the features provided by Vanadium at https://grapheneos.org/features#vanadium. There are dozens of additional privacy and security features planned along with data import/export and improved support for system backups. It takes time to implement these things properly.

Vanadium doesn't have billions or even millions of users which limits our ability to prevent fingerprinting. We plan to address this by launching it for use outside GrapheneOS including publishing it through the Play Store. We want to implement more of the planned features first.

For the non-WebRTC issue being abused by Yandex, Chromium 137 shipped a fix for it behind a feature flag that's being gradually rolled out. We can roll this out to 100% of Vanadium users through a Vanadium Config update. We can start Alpha testing for that new flag later today.

@GrapheneOS Great - I will wait for the Alpha release for testing.

@lusca Note it will just be an Alpha release of Vanadium Config since we have that to avoid needing browser updates to change flags or update content filters. Chrome simply fetches flags from a server and it's largely based on randomized subsets of users for different feature trials. We prefer rolling out the flag changes via our Alpha, Beta and Stable channel system to 100% of the users on each channel via Vanadium Config. We don't like doing staged rollouts or A/B testing the way they do it.