Many Android VPN apps are not secure: CSIRO

Many Android VPN-based apps, despite often being presented as being designed to increase a user’s security and privacy, may actually have the opposite effect.

A CSIRO study of 283 Android VPN apps listed on the Google Play store found that while 67% of the identified apps offer services putatively to enhance online privacy and security, 75% use third-party tracking libraries and 82% request access to sensitive data such as user contacts and text messages.

The report also found that over 38% of the apps contain some form of malware.

Furthermore, 16% of the analysed apps appear to forward traffic through other participating users’ devices in a peer-forwarding manner — raising a host of trust, security and privacy concerns — and 18% implement tunnelling protocols that lack encryption.

Two of the VPN apps were found to be actively injecting JavaScript code on users’ traffic for advertising and tracking purposes, while four compromise users’ route store and actively perform TLS interception in transit. Three of these selectively intercept traffic specific to online services including social networks, banking, e-commerce sites, email and IM services.

As opposed to desktop-based VPNs, which require root access to perform their roles, Android VPNs can use the operating system’s native support, the report states. But this raises serious security concerns, as it allows an app to intercept and take full control of a user’s traffic.

While Android alerts users about the risks of granting VPN permission through system dialogues and notifications when an app is installed, a large number of mobile users may not be technically literate enough to understand the potential implications.

“Our results show that — in spite of the promises for privacy, security and anonymity given by the majority of VPN apps — millions of users may be unawarely subject to poor security guarantees and abusive practices inflicted by VPN apps,” the report states.

The CSIRO used a suite of custom-designed tests to probe the 283 VPN apps.

Image courtesy of Phil Campbell under CC

Follow us on Twitter and Facebook