VPN - can you trust your Android VPN client?

[sfx2000]

Interesting read from HelpNetSecurity

https://www.helpnetsecurity.com/2017/01/26/trust-android-vpn-client/

A group of researchers has analyzed 283 Android apps from Google Play that use the Android VPN permission in search of possible malware presence, third-party library embedding, and traffic manipulation, and have discovered that:

• 18% of the apps implement tunneling protocols without encryption (despite promising online anonymity and security to users)
• 84% of the apps don’t tunnel IPv6 traffic, and 66% don’t tunnel DNS traffic for a variety of reasons, thus exposing users to online tracking by surveillance agencies or commercial WiFi access points
• 75% of the apps use third-party tracking libraries and 82% request permissions to access sensitive resources (e.g. user accounts, text messages)
• VirusTotal identified malware presence in 38% of the analyzed apps
• 18% of the apps do not mention the entity hosting the terminating VPN server
• 16% of the apps may forward traffic through other participating users rather than use servers hosted in the cloud (and this raises a number of trust, security, and privacy concerns for participating users)
• 16% of the apps deploy non-transparent proxies that modify user’s HTTP traffic. In fact, two of them actively inject JavaScript code into the user’s traffic for advertisement and tracking purposes, and one of them redirects e-commerce traffic to external advertising partners.
• Four of the analyzed VPN apps compromise users’ root-store and actively perform TLS interception, ostensibly in order to optimize traffic to certain services.

 

[staticfree]

Interesting read from HelpNetSecurity

https://www.helpnetsecurity.com/2017/01/26/trust-android-vpn-client/

A group of researchers has analyzed 283 Android apps from Google Play that use the Android VPN permission in search of possible malware presence, third-party library embedding, and traffic manipulation, and have discovered that:

• 18% of the apps implement tunneling protocols without encryption (despite promising online anonymity and security to users)
• 84% of the apps don’t tunnel IPv6 traffic, and 66% don’t tunnel DNS traffic for a variety of reasons, thus exposing users to online tracking by surveillance agencies or commercial WiFi access points
• 75% of the apps use third-party tracking libraries and 82% request permissions to access sensitive resources (e.g. user accounts, text messages)
• VirusTotal identified malware presence in 38% of the analyzed apps
• 18% of the apps do not mention the entity hosting the terminating VPN server
• 16% of the apps may forward traffic through other participating users rather than use servers hosted in the cloud (and this raises a number of trust, security, and privacy concerns for participating users)
• 16% of the apps deploy non-transparent proxies that modify user’s HTTP traffic. In fact, two of them actively inject JavaScript code into the user’s traffic for advertisement and tracking purposes, and one of them redirects e-commerce traffic to external advertising partners.
• Four of the analyzed VPN apps compromise users’ root-store and actively perform TLS interception, ostensibly in order to optimize traffic to certain services.

Since I recently loaded openVPN app on my cell phone I too had (as always) in the back of my mind the question of whether or not these apps had any spyware or viruses embedded in them. I chose the openVPN app and when first executed, it did pop up a screen with settings prompting you to either enable or disable the apps access to much of your personal and private data like contacts, email, phone calling, camera and microphone, location, etc. I selected to not allow all but the "My Location" info. But who knows if it really disables this in the background. Anyway, this article is no surprise but it is completely useless when they don't back up their findings to identify and tell us what apps they tested and found vulnerabilities with. I wish they'd list and name the apps so we can decide which ones are safest and which ones to avoid.

 

[doczenith1]

Anyway, this article is no surprise but it is completely useless when they don't back up their findings to identify and tell us what apps they tested and found vulnerabilities with. I wish they'd list and name the apps so we can decide which ones are safest and which ones to avoid.

Do a search on the web. I've had 3 articles related to this study come through my Google Now feed. One or two of them listed 5-7 apps that I believe Google has removed from the play store.

 

[Atul]

Better download a legitimate VPN app. As far as we see android PlayStore, yes there is much bloatware. Still, there is some good sort of apps which provides you 100% security.