Large number of Android VPN apps insecure


Virtual Private Networks (VPN) have evolved from a technology used mostly by businesses to one that is used by more and more home users as well.

Reasons are manifold, but improved privacy and security are certainly two key features that make a growing number of home users use VPN services and apps.

Without going into too much detail; a VPN protects a device’s IP address as traffic flows through it instead of directly to the user’s system.

Google’s Android operating system supports native VPN clients since Android 4.0 released in October 2011 through the Android VPN Service class.

When enabled, VPN applications on Android intercept and take full control of a device’s traffic.

android vpn apps insecure

A team of researchers analyzed more than 280 Android VPN applications for privacy and security issues. The results, revealed in a research paper, reveal that many free and premium VPN applications on Android are insecure.

Key findings include

  • 67% of Android VPN applications promised to protect user privacy. 75% of those used third-party tracking libraries, and 82% requested permissions to access user information such as text messages.
  • 37% of Android VPN applications had more than 500K downloads, and 25% at least a 4-star rating. Over 38% of those applications showed signs of malware on Virustotal.
  • 18% of all VPN applications implemented tunneling protocols without encryption.
  • 84% of VPN apps do not tunnel IPv6 traffic.
  • 66% of VPN apps do not tunnel DNS traffic.
  • 18% of VPN applications don’t reveal “the entity hosting the terminating VPN server”, and 16% of apps may forward traffic using peer-to-peer forwarding.
  • 16% of VPN applications deploy non-transparent proxies that modify HTTP traffic, for instance by injecting or removing headers. 2 of those inject JavaScript for advertisement and tracking purposes.
  • 4 of the analyzed VPN apps perform TLS interception.

The research paper does not include the full list of tested Android VPN applications, and the issues identified in each of them. That’s unfortunate, as it would have helped users make an educated decision on which Android VPN application to install on their device, and to verify that installed VPN apps are not misbehaving.

Some VPN apps are mentioned however. The research paper lists all VPN apps that were flagged as potentially malicious by Virustotal, and apps that have “egress points in residential ISPs”.

The researchers suggest that Google needs to rethink the VPN permission model, as the current one is putting users, who are mostly unaware, at risk.

The ability of the BIND_VPN_SERVICE permission to break Android’s sandboxing and the naive  perception that most users have about third-party VPN apps suggest that it is urging to re-consider Android’s VPN permission model to increase the control over VPN clients. Our analysis of the user reviews and the ratings for VPN apps suggested that the vast majority of users remain unaware of such practices even when considering relatively popular apps.

Now You: do you use a VPN application on your mobile device?