Dear Android users: don't trust your VPN app


According to a new research paper, authored by security researchers from several institutions, including CSIRO and UC Berkeley, Android users who use free VPN apps are at a high risk of security intrusions. A number of such applications have been found to include adware and trojans, along with user tracking libraries and traffic interception mechanisms, while some of them also do not provide encryption of any kind.

A VPN, short for a virtual private network, is a commonly used type of security service which, in theory, allows an end user to surf the internet anonymously, bypassing third-party monitoring or censorship. It works by redirecting (and most commonly encrypting) user traffic through a remote server, which incurs a speed penalty, but provides more security in return. However, the study, which analyzed free VPN services for Android, found that a large amount of apps feature troubling behavior which exposes end users to potential risks.

An analysis of VPN services through the online service VirusTotal returned a list of several apps which have more than 5 positives when tested for viruses, with the two worst offenders, OkVpn and EasyVpn having 24 and 22 hits respectively. The most commonly found type is adware, which typically replaces third-party ads on webpages with its own, more intrusive ones. 18 percent of free VPN apps were found to not encrypt user traffic at all, opening up the possibility of snooping, particularly when connected to a public network. The majority of free apps also do not fully tunnel traffic, leaving some critical data exposed. Two services, HotspotShield and WiFi Protector VPN, were found to inject tracking scripts into webpages, while the former also redirected traffic to e-commerce sites such as eBay and Alibaba through partner websites, letting it make money from users’ purchases. Four apps were also caught using illegitimate self-signed certificates, which give them access to all encrypted traffic on a given device.



The study also made a point of analyzing user awareness of intrusions to their privacy and found that, on average, most users have not expressed public concern about their security when using a VPN service. This is particularly troubling, as it leads to the conclusion that users either do not notice, or simply don’t care when an application requests sensitive permissions, such as handling text messages, which is a requirement imposed by the OS.

Some things to keep in mind about the study, however, include the fact that analyzed apps were collected last year, and as a result some of the worst offenders on the list can no longer be found on the Play Store. Also, not all of these security problems are necessarily malicious in intent – some may be just programming errors, while others have been confirmed by the app developers to be intended features. Also worth noting is the fact that paid VPN services were not analyzed as part of this study, and neither were iOS apps of any kind, leaving them innocent until proven otherwise.

source: CSIRO Research via The Verge

FEATURED VIDEO

43 Comments

1. tiara6918

Posts: 2263; Member since: Apr 26, 2012

My narcisstic father(in other words psycopath) blocked my internet access at home. I use vpn master on my phone and he didn't even know up till now for several months that I could bypass his block. Since I have no choice, I still will trust vpn apps for now

13. IT-Engineer

Posts: 580; Member since: Feb 26, 2015

You should show respect to your father who pays for everything and brought you to this world and spent countless nights working and so on to ensure that his son gets anything that he needs. You should be grateful that he pays for your internet too.

14. benzb

Posts: 82; Member since: Jan 19, 2012

Agreed. Couldn't have said it better.

20. Plasticsh1t

Posts: 3109; Member since: Sep 01, 2014

Ikr. Some people are really ungrateful.

26. tiara6918

Posts: 2263; Member since: Apr 26, 2012

Before you start criticizing me along with the other 6 people who liked this comment and more. Why don't you educate yourselves more and search what narcissists are about. You don't know the daily verbal and physical abuse I go through every single day. So before criticizing me, know about the facts. You don't know and have a clue what narcisstic parents are so who are you to judge me?

33. GeekOFW

Posts: 59; Member since: Dec 14, 2016

Was he diagnosed with NPD?

39. tiara6918

Posts: 2263; Member since: Apr 26, 2012

My dad manipulated my psychiatrist even told him he only spanked me once throughout my entire childhood and said he was drunk as an excuse. Could you believe that? He also loves questioning and downing me thinking I am stupid. As a car enthusiast myself he even questioned me"do you know what a 4x4 is?" I obviously know answers to such small matters. He even threatened to lock me up to a mental hospital if I didn't obey him because of my mental health(anxiety,depression that was probably caused by him)

28. tiara6918

Posts: 2263; Member since: Apr 26, 2012

Now I am saying this respectfully, please spare a few minutes of your time and search for narcisstic parents on google or youtube and come back to me in the comments section

2. seankay

Posts: 1; Member since: Feb 01, 2017

I have read the whole report and not all the vpns are bad. Some of the good ones including the one I use are not there i.e. purevpn, express etc.

43. LouisColeman

Posts: 2; Member since: Aug 17, 2018

Agreed. I'm also using a vpn and it works really well but its not there. Nowadays, there are lots of sensational blogs, it just depends on us if we will go with everything sites offers.

3. AlikR

Posts: 45; Member since: Sep 05, 2013

Funny, how it is directed at android users only once again. While they stated that they have not analyzed iOS apps, it already created the unhealthy buzz about android again..Shame...

6. RebelwithoutaClue unregistered

Was wondering about that too. Betternet for example can be found in the Appstore as well and should be as untrustworthy as the Android app.

7. 47AlphaTango

Posts: 742; Member since: Sep 27, 2015

Cause android dominates the mobile industry. Imagine, more than 80% users around the world are using an android device? And most news that comes out on every smartphone blog are android handsets. Meanwhile the ios comes in seconds. And the windows products came on third place. So why are you surprised?

9. kiko007

Posts: 7521; Member since: Feb 17, 2016

You can't think things are that cut and dry, can you?

16. mikehunta727 unregistered

If you read more into it, you would know that this stems from Android and not everyone being on latest Nougat version, so VPN's can do basically whatever they want basically on Android. On iOS it isn't a problem because it is more secure and also everyone is on generally the lastest OS version, which controls and mitigates any rampant apps/etc Basically in simple terms, iOS is more designed to prevent stuff like this from happening, Android isn't, VPN apps on Android have this issue, does not seem to be prevalent on iOS

21. tacarat

Posts: 854; Member since: Apr 22, 2013

It comes from the fact that the VPNs can do this. You can make your own VPN, have it block ads, and it'll work. You can track everything you've searched, cache encrypted/unencrypted data, etc. It has nothing to do with the OS it's made for.

25. mikehunta727 unregistered

Most of these VPN apps on Android are taking advantage of people being behind on OS versions and etc via much more lax and inferior app control and sercurity compared to newer os versions. Ios apps don't have this issue

29. joey_sfb

Posts: 6794; Member since: Mar 29, 2012

I don't think its true. Even with the latest Android version you could still be at risk. It more on how they implement the VPN protection and what the VPN service provider do with their log. You basically have to trust your VPN service provider so if they are s**tty or have malicious intent you are basically screwed. Nothing to do you Android version at all. They may specific a minimum supported Android version and that about it.

34. tacarat

Posts: 854; Member since: Apr 22, 2013

If you're using a VPN, they control your internet. That's a fact. They could make every website you type in go to goatse mirrors. Every website could be given the 127.0.0.1 IP address. This is true on mobile, desktops, or laptops, and without regard to the operating system installed.

27. joey_sfb

Posts: 6794; Member since: Mar 29, 2012

We already know about Phone arena Android bias. The positive side to this is that it did alert 80% of smart phone users reading this article. I was beginning to wonder about mobile VPN security when I configure my Windows 10 Mobile VPN and did a DNS leak test. WP10 edge is leaking my country of origin DNS like there no tomorrow. Basically good enought to reach geo-restricted website but my activities are 100% track by my ISP. Another perspective like what tiara6918 said, Free VPN are used to bypass problem not really a privacy protection tool. If you are really concern with privacy you should be using paid VPN services.

4. Plasticsh1t

Posts: 3109; Member since: Sep 01, 2014

Does puffin browser use VPN? Because they render pages through their servers is there any harm in using it?

31. joey_sfb

Posts: 6794; Member since: Mar 29, 2012

They never mention therefore my guess is no. The essence of VPN is data encryption.

35. tacarat

Posts: 854; Member since: Apr 22, 2013

Puffin and other browsers with that feature (Opera, Opera Max) can do anything the above mentioned VPNs could do. They're acting as a go between for you and the websites. They know what you browse, when you browse, and you're already asking them to modify the website. It's one of the reasons a good reputation for VPNs is important. A lot of people look for ones that don't keep logs of their activities and usually have to pay for that.

5. Gandalf87

Posts: 2; Member since: Feb 01, 2017

yea i did check out that report last week. it was a huge pdf doc which pitted every major brand against the other. didn't see big names like pure, express and ivacy vpn. maybe they passed and made the cut and weren't among those 67% that failed.

8. nedimko_wot

Posts: 115; Member since: Oct 01, 2016

well i dont need vpn in my country since they are no copyright laws

36. tacarat

Posts: 854; Member since: Apr 22, 2013

It's good for security of information the websites don't encrypt. Some used to build in ad blocking, compression, and the like too.

38. Gandalf87

Posts: 2; Member since: Feb 01, 2017

That's one less thing you have to worry about ig. :) but it still has its uses. like bypassing region-locks and unblocking sites.

10. djsmoove

Posts: 2; Member since: Feb 01, 2017

I recommend Private Internet Access, It's the best VPN. I had them over 2 years.

24. lJesseCusterl

Posts: 96; Member since: Apr 27, 2015

PIA or IPVanish. Probably the top two right now.

11. michaelny2001

Posts: 348; Member since: Aug 01, 2012

and the simple solution is............... download a VPN app from the Play Store. boom. done.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless