Your favourite VPN app is harvesting your personal information
25 January 2017 | 0
An analysis of hundreds of Android virtual private network (VPN) apps has found that 18% do not encrypt users’ traffic and 38% inject malware.
The analysis of 283 Android apps that use the Android VPN permission, by researchers from CSIRO, the University of New South Wales and the University of Berkeley, also found that 82% of the apps requested to access sensitive data such as user accounts and text messages.
“Our results show that – in spite of the promises for privacy, security and anonymity given by the majority of VPN apps – millions of users may be unwarily subject to poor security guarantees and abusive practices inflicted by VPN apps,” the paper states.
Even though 67% of the identified VPN apps offered services to enhance online privacy and security, 75% of them were found to use third party tracking libraries.
“Many apps may legitimately use the VPN permission to offer some form of online anonymity or to enable access to censored content. However, malicious app developers may abuse it to harvest users’ personal information,” the researchers said. “According to the number of installs of these apps, millions of users appear to trust VPN apps despite their potential maliciousness.”
Despite the worrying findings, an analysis of user reviews in the Google Play store found that a quarter of the apps received a four star or higher rating, despite the inherent potential for malicious activity. Only a marginal number of users publicly raised any security or privacy concerns in their reviews.
Android’s official documentation highlights the serious security concerns that the VPN permission raises: as it allows an app to intercept and take full control over a user’s traffic.
Users, however, either don’t care or are unaware of the implications: less than 1% had any security or privacy concerns about the apps.
“A large fraction of mobile users may however lack the necessary technical background to fully understand the potential implications,” researchers suggested. “Despite the fact that Android VPN-enabled apps are being installed by millions of mobile users worldwide, their operational transparency and their possible impact on user’s privacy and security remains ‘terra incognita’ even for tech-savvy users”.
Prof Dali Kaafar, CSIRO senior principal researcher in online privacy and security and the paper’s co-author, urged VPN users to read the small print and scrutinise what permissions they gave away.
“Always pay attention to the permissions requested by apps that you download,” he said. “This study shows that VPN app users, in particular, should take the time to learn about how serious the issues with these apps are and the significant risks they are taking using these services.”
The research team contacted the developers behind each app and shared their findings. The responses were mixed. Many didn’t respond, while some of those that did confirmed the findings. One argued that embedding less-popular tracking libraries was the best choice to monetise the app.
IDG News Service