For security purposes, a mobile device can be configured to route application network traffic through an encrypted network tunnel, such as a virtual private network (VPN). This configuration is especially useful when the mobile device is connected to the Internet through an open Wi-Fi access point, where any device can eavesdrop on the network traffic. This configuration is also useful in situations where the mobile device is connected to a secured network to which untrusted devices can be connected, or if the operator of the network (or intermediate networks) cannot be trusted. Also, the use of a VPN can be necessary to connect to resources hosted on an organization's private network or intranet.
An organization might have different security requirements or preferences for different applications or different classes of data. For example, an organization might require a particular application's network traffic to be routed through a VPN that employs a particular encryption level that is defined by the size of the encryption key used to create an encrypted tunnel over the Internet. More sensitive data might require a greater degree of encryption. Less sensitive data might require less encryption, or a smaller encryption key that is used to encrypt an encrypted channel or encrypted tunnel. In some examples, an organization's policy might allow certain data from certain applications or certain types of data to be sent over a network without any encryption.
However, VPN clients and endpoints often take an all or nothing approach to creating encrypted tunnels. For example, if a VPN configuration specifies that a VPN should be employed for an application, a single encrypted channel or tunnel is created, and all network traffic routed by the tunnel client on the device through the tunnel is encrypted in the same way.