Majority of Android VPNs can’t be trusted to make users more secure
on
Get link
Facebook
X
Pinterest
Email
Other Apps
Dan Goodin
Over the past half-decade, a growing number of
ordinary people have come to regard virtual private networking software
as an essential protection against all-too-easy attacks that intercept
sensitive data or inject malicious code into incoming traffic. Now, a
comprehensive study of almost 300 VPN apps downloaded by millions of
Android users from Google's official Play Market finds that the vast
majority of them can't be fully trusted. Some of them don't work at all.
According to a research paper that analyzed the source-code and network behavior of 283 VPN apps for Android:
18 percent didn't encrypt traffic at all, a failure that left users wide open to man-in-the-middle attacks when connected to Wi-Fi hotspots or other types of unsecured networks
16 percent injected code into users' Web
traffic to accomplish a variety of objectives, such as image
transcoding, which is often intended to make graphic files load more
quickly. Two of the apps injected JavaScript code that delivered ads and
tracked user behavior. JavaScript is a powerful programming language
that can easily be used maliciously
84 percent leaked traffic based on the next-generation IPv6
internet protocol, and 66 percent don't stop the spilling of domain
name system-related data, again leaving that data vulnerable to
monitoring or manipulation
Of the 67 percent of VPN products that
specifically listed enhanced privacy as a benefit, 75 percent of them
used third-party tracking libraries to monitor users' online activities.
82 percent required user permissions to sensitive resources such as
user accounts and text messages
38 percent contained code that was classified as malicious by VirusTotal, a Google-owned service that aggregates the scanning capabilities of more than 100 antivirus tools
Four of the apps installed digital certificates that caused the apps to intercept and decrypt transport layer security traffic sent between the phones and encrypted websites
The researchers—from Australia's Commonwealth
Scientific and Industrial Research Organization, the University of South
Wales, and the University of California at Berkeley—wrote in their
report:
Our results show that—in spite of
the promises for privacy, security, and anonymity given by the majority
of VPN apps—millions of users may be unawarely subject to poor security
guarantees and abusive practices inflicted by VPN apps... Despite the
fact that Android VPN-enabled apps are being installed by millions of
mobile users worldwide, their operational transparency and their
possible impact on user's privacy and security remains terra incognita even for tech-savvy users.
Not every behavior called out in the report is
an automatic indication of a privacy or security failing. A variety of
VPNs have been called out in the past for leaking IPv6 and DNS traffic.
In some cases, the shortcomings may compromise only anonymity, rather
than allowing attackers to monitor or manipulate traffic to and from a
phone. Still, most security and privacy experts agree that at a minimum,
the behaviors found in the study are things that should be avoided by
VPN developers.
One of the few apps to be lauded in the study was F-Secure Freedome VPN,
made by the Finnish security company F-Secure. In keeping with F-Secure
marketing promises, the app blocks all traffic from a pre-defined list
of Web- and mobile-tracking domains, including Google Ads, DoubleClick,
Google Tag, and comScore. The researchers found at least one site,
nytimes.com, where Freedome interfered with embedded content video
because the app blocked some of the JavaScript served by the domain.
Other than that, one of the researchers told Ars, Freedome had no
issues. App licenses cost $50 per year for use on three devices which,
in addition to Android, can run Windows, MacOS, or iOS.
The research was based on Google Play apps
that, as of November, used a permission called BIND_VPN_SERVICE, which
allows apps to intercept and take full control of all traffic flowing
over an affected phone or tablet. The results don't take into account
apps that have been added, removed, or modified since then. Still,
however the Google Play offerings have changed in the past two months,
the findings should serve as a wakeup call for anyone using a VPN app on
an Android device. Those relying on an app that isn't Freedome should
consider dumping it or at least suspending use of it until they have
reviewed the app's performance.
Comments
Post a Comment