Many Android VPN apps are not secure: CSIRO


By Dylan Bushell-Embling
Friday, 27 January, 2017
Many Android VPN apps are not secure: CSIRO

Many Android VPN-based apps, despite often being presented as being designed to increase a user’s security and privacy, may actually have the opposite effect.

A CSIRO study of 283 Android VPN apps listed on the Google Play store found that while 67% of the identified apps offer services putatively to enhance online privacy and security, 75% use third-party tracking libraries and 82% request access to sensitive data such as user contacts and text messages.

The report also found that over 38% of the apps contain some form of malware.

Furthermore, 16% of the analysed apps appear to forward traffic through other participating users’ devices in a peer-forwarding manner — raising a host of trust, security and privacy concerns — and 18% implement tunnelling protocols that lack encryption.

Two of the VPN apps were found to be actively injecting JavaScript code on users’ traffic for advertising and tracking purposes, while four compromise users’ route store and actively perform TLS interception in transit. Three of these selectively intercept traffic specific to online services including social networks, banking, e-commerce sites, email and IM services.

As opposed to desktop-based VPNs, which require root access to perform their roles, Android VPNs can use the operating system’s native support, the report states. But this raises serious security concerns, as it allows an app to intercept and take full control of a user’s traffic.

While Android alerts users about the risks of granting VPN permission through system dialogues and notifications when an app is installed, a large number of mobile users may not be technically literate enough to understand the potential implications.

“Our results show that — in spite of the promises for privacy, security and anonymity given by the majority of VPN apps — millions of users may be unawarely subject to poor security guarantees and abusive practices inflicted by VPN apps,” the report states.

The CSIRO used a suite of custom-designed tests to probe the 283 VPN apps.

Image courtesy of Phil Campbell under CC

Follow us on Twitter and Facebook

Related News

Fujitsu establishes security consulting division

Fujitsu's new digital security consulting division will help organisations prepare for and...

Unstoppable Domains joins GlobalBlock initiative

Web3 domain name service provider Unstoppable Domains has joined the GlobalBlock initiative to...

AI adoption surging in the enterprise

The use of generative AI and other tools within the enterprise is rapidly increasing, which is...

Content from other channels on our network

The fire on Marley's Hill

Sanctions on Hytera halted by appeals court

MXene-based compound to enable 3D-printed antennas

Long-range drones used to surveil bushfires in NSW

Luxembourg DoD adds satcom ground infrastructure

Department of Agriculture modernises TAMS system

SA Water revamping spend management platform

Cobalt Iron nabs EU patents for security techniques

New online resource to support employment of ex-service people

Good evidence confuses ChatGPT when used for health information: study

Future Made in Australia Act welcomed by climate orgs

An interconnected ASEAN Power Grid: report

What Australia thinks about the energy transition

Call for improved train lighting to save lives

Foiling hackers in the smart home era

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd