Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Android VPNs Introduce Security, Privacy Risks: Study

Researchers have analyzed hundreds of virtual private network (VPN) applications for Android and determined that many of them introduce serious privacy and security risks.

Researchers have analyzed hundreds of virtual private network (VPN) applications for Android and determined that many of them introduce serious privacy and security risks.

A team of experts from the University of California, Berkeley, the Data 61 research unit at Australia’s Commonwealth Scientific and Industrial Organisation (CSIRO) and the University of New South Wales have analyzed 283 Google Play apps that request the BIND_VPN_SERVICE permission, which provides native support for VPN clients.

After running a series of passive and active tests, researchers determined that while 67% of the analyzed apps claim to enhance privacy and security, three-quarters of them include third-party tracking libraries and 82% of them request access to sensitive information, such as text messages and user accounts.

Experts discovered that more than one-third of these Android VPN apps, including ones that are highly popular, appear to include some malicious code when tested with Google’s VirusTotal service. Worryingly, only a small number of users have raised security or privacy concerns in the comments posted to Google Play when reviewing these applications.

Android VPN analysis

Another problem identified during the study is that 18% of the applications do not provide any information on the entity hosting the VPN server, and 16% of them forward traffic through the devices of other users, which can pose serious trust, privacy and security issues. Furthermore, a small percentage of the apps implemented local proxies designed to inspect user traffic, mainly for filtering and security purposes.

VPN applications are supposed to provide anonymity and security, but researchers found that 18% of the ones from Google Play implement tunneling protocols without encryption, and many of them don’t tunnel IPv6 and DNS traffic.

A small number of Android VPN apps have been found to intercept TLS traffic and even inject JavaScript code for advertising and tracking purposes.

Researchers have contacted the developers of problematic apps and while some of them confirmed the findings and provided arguments in support of their methods, others did not respond.

Advertisement. Scroll to continue reading.

“The ability of the BIND_VPN_SERVICE permission to break Android’s sandboxing and the naive perception that most users have about third-party VPN apps suggest that it is urging to re-consider Android’s VPN permission model to increase the control over VPN clients,” researchers wrote in their paper. “Our analysis of the user reviews and the ratings for VPN apps suggested that the vast majority of users remain unaware of such practices even when considering relatively popular apps.”

The complete paper, titled “An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps,” is available for download in PDF format.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...