Could a desktop application disclose location even if a VPN is used?

As you noted, "languages/keyboards" may help.

But it can be improved with "TimeZone"

Also, if the application has enough privilege, it may:

  • Ask the operating system what is the location
  • Ask the list of Wifi in range and if any one of them have a known location
  • If it can read your personal files it may - for example - reads pictures location metadata.

More complicated but feasible: - If it can reads the host file, it may use domains with known geoip DNS to detect where the computer was before using the VPN

Recent example - on android: an application without the "location" privilege (nor the "picture" one, but irrelevant here) could take a picture and reads it's metadata to locate the user. So a VPN would be useless if the phone OS had register an accurate position using GPS or Wifi: https://www.checkmarx.com/blog/how-attackers-could-hijack-your-android-camera


The short answer is that it depends on how the VPN is set up. If truely all network traffic passes through the proxy, then the computer only knows the outside world through the proxy.

But there are many ways for traffic to not go through the proxy, and indeed, the application might attempt to bypass the proxy.