Android VPN App Security Analyzed
July 12, 2017
Here’s an important warning for users of mobile devices—beware VPN apps in the Google Play store. Thats the upshot of a white paper from Australian research organization CSIRO, “An Analysis of the Privacy and Security Risks of Android BPN Permission-Enabled Apps.” Researchers found, for example that 18% of VPN apps in the Google Play store do not actually encrypt anything, and 38% harbor malware of some sort.
The in-depth paper describes the investigation into four main areas of concern: third-party user tracking and permissions access; malware presence; traffic interception; and user awareness of potential risks. The researchers specify:
In this paper we provide a first comprehensive analysis of 283 Android apps that use the Android VPN permission, which we extracted from a corpus of more than 1.4 million apps on the Google Play store. We perform a number of passive and active measurements designed to investigate a wide range of security and privacy features and to study the behavior of each VPN-based app. Our analysis includes investigation of possible malware presence, third-party library embedding, and traffic manipulation, as well as gauging user perception of the security and privacy of such apps. Our experiments reveal several instances of VPN apps that expose users to serious privacy and security vulnerabilities, such as use of insecure VPN tunneling protocols, as well as IPv6 and DNS traffic leakage. We also report on a number of apps actively performing TLS interception. Of particular concern are instances of apps that inject JavaScript programs for tracking, advertising, and for redirecting e-commerce traffic to external partners.
The paper concludes by recommending Android revamp their VPN permission model. It also describes most users as “naïve” to the realities of mobile VPN security. For anyone wishing to educate themselves on the issue, this paper is a good place to turn.
Cynthia Murrell, July 12, 2017