What’s that thing Google is pushing, where the CAs basically push a list of all the certs they issue? Is that live? Maybe Amazon issued you a key, and then published it in a list of “domains I’ve issued keys for”, and they’re just watching that list?

Unless that’s not a thing, or not a thing yet, or I’m fully misremembering…

Definitely Android apps can use WebRTC, and basically any apps that do voice or video calling very likely do.

But more importantly, they don’t even need WebRTC, because they can open up any sockets and communicate anything, unlike the browser that’s more limited.

Like, any app with network permissions can just call out to any server, which will then have the IP of the client. WebRTC not required.

So yeah, you need all of the networking to go through a VPN to protect against this, if it’s important to you.