Android VPN App Security Analyzed

July 12, 2017

Here’s an important warning for users of mobile devices—beware VPN apps in the Google Play store. Thats the upshot of a white paper from Australian research organization CSIRO, “An Analysis of the Privacy and Security Risks of Android BPN Permission-Enabled Apps.” Researchers found, for example that 18% of VPN apps in the Google Play store do not actually encrypt anything, and 38% harbor malware of some sort.

The in-depth paper describes the investigation into four main areas of concern: third-party user tracking and permissions access; malware presence; traffic interception; and user awareness of potential risks. The researchers specify:

In this paper we provide a first comprehensive analysis of 283 Android apps that use the Android VPN permission, which we extracted from a corpus of more than 1.4 million apps on the Google Play store. We perform a number of passive and active measurements designed to investigate a wide range of security and privacy features and to study the behavior of each VPN-based app. Our analysis includes investigation of possible malware presence, third-party library embedding, and traffic manipulation, as well as gauging user perception of the security and privacy of such apps. Our experiments reveal several instances of VPN apps that expose users to serious privacy and security vulnerabilities, such as use of insecure VPN tunneling protocols, as well as IPv6 and DNS traffic leakage. We also report on a number of apps actively performing TLS interception. Of particular concern are instances of apps that inject JavaScript programs for tracking, advertising, and for redirecting e-commerce traffic to external partners.

The paper concludes by recommending Android revamp their VPN permission model. It also describes most users as “naïve” to the realities of mobile VPN security. For anyone wishing to educate themselves on the issue, this paper is a good place to turn.

Cynthia Murrell, July 12, 2017

Written by Stephen E. Arnold · Filed Under Google, Mobile, News, Security

Comments

Comments are closed.

Search the site
Subscribe to Beyond Search
Feature archive
News archive

Stephen E. Arnold monitors search, content processing, text mining and related topics from his high-tech nerve center in rural Kentucky. He tries to winnow the goose feathers from the giblets. He works with colleagues worldwide to make this Web log useful to those who want to go "beyond search". Contact him at sa [at] arnoldit.com. His Web site with additional information about search is arnoldit.com.