Can you trust your Android VPN client?

Do you trust your Android VPN client to keep your data secure and your online browsing private? Perhaps you shouldn’t.

trust Android VPN client

A group of researchers has analyzed 283 Android apps from Google Play that use the Android VPN permission in search of possible malware presence, third-party library embedding, and traffic manipulation, and have discovered that:

  • 18% of the apps implement tunneling protocols without encryption (despite promising online anonymity and security to users)
  • 84% of the apps don’t tunnel IPv6 traffic, and 66% don’t tunnel DNS traffic for a variety of reasons, thus exposing users to online tracking by surveillance agencies or commercial WiFi access points
  • 75% of the apps use third-party tracking libraries and 82% request permissions to access sensitive resources (e.g. user accounts, text messages)
  • VirusTotal identified malware presence in 38% of the analyzed apps
  • 18% of the apps do not mention the entity hosting the terminating VPN server
  • 16% of the apps may forward traffic through other participating users rather than use servers hosted in the cloud (and this raises a number of trust, security, and privacy concerns for participating users)
  • 16% of the apps deploy non-transparent proxies that modify user’s HTTP traffic. In fact, two of them actively inject JavaScript code into the user’s traffic for advertisement and tracking purposes, and one of them redirects e-commerce traffic to external advertising partners.
  • Four of the analyzed VPN apps compromise users’ root-store and actively perform TLS interception, ostensibly in order to optimize traffic to certain services.

Reactions from the developers

The researchers have contacted the developers of the apps found sporting some or all of these issues, and some have reacted by fixing the vulnerabilities.

Most of them, though, did not respond, and some responded only to confirm the findings and to offer justification for the choices they make about how they operate the service.

Too many questions remain

“Despite the fact that Android VPN-enabled apps are being installed by millions of mobile users worldwide, their operational transparency and their possible impact on user’s privacy and security remains ‘terra incognita’ even for tech-savvy users,” the researchers pointed out, and added that judging by the analysis of the user reviews and ratings of these apps, most users are unaware that they might be risking their security and privacy.

Starting with Android v4.0, VPN clients began using the VPN Service base class and the BIND_VPN_SERVICE permission to perform user traffic interception, manipulation and forwarding or implementation of proxies in localhost.

“The ability of the BIND_VPN_SERVICE permission to break Android’s sandboxing and the naive perception that most users have about third-party VPN apps suggest that it is urging to re-consider Android’s VPN permission model to increase the control over VPN clients,” the researchers concluded.