Your IT Consultant

Information Technology Blog
by John W. Simek, Vice President of Sensei Enterprises, Inc.

Majority of Android VPNs not Secure

January 31, 2017

A team of researchers from the University of Berkeley, University of new South Wales and Commonwealth Scientific and Industrial Research Organization (CSIRO) analyzed 283 Android VPNs and discovered that the majority don't do a very good job of protecting users' privacy and aren't very secure either. VPN users expect that their communications are secured. However, the researchers revealed that Android users are using apps that lack encryption, track user activity, infected with malware, manipulate HTTP traffic and intercept TLS traffic. Ars technia has a good summary of the results.

18 percent didn't encrypt traffic at all, a failure that left users wide open to man-in-the-middle attacks when connected to Wi-Fi hotspots or other types of unsecured networks
16 percent injected code into users' Web traffic to accomplish a variety of objectives, such as image transcoding, which is often intended to make graphic files load more quickly. Two of the apps injected JavaScript code that delivered ads and tracked user behavior. JavaScript is a powerful programming language that can easily be used maliciously
84 percent leaked traffic based on the next-generation IPv6 internet protocol, and 66 percent don't stop the spilling of domain name system-related data, again leaving that data vulnerable to monitoring or manipulation
Of the 67 percent of VPN products that specifically listed enhanced privacy as a benefit, 75 percent of them used third-party tracking libraries to monitor users' online activities. 82 percent required user permissions to sensitive resources such as user accounts and text messages
38 percent contained code that was classified as malicious by VirusTotal, a Google-owned service that aggregates the scanning capabilities of more than 100 antivirus tools
Four of the apps installed digital certificates that caused the apps to intercept and decrypt transport layer security traffic sent between the phones and encrypted websites

The study doesn't paint a very good picture for Android VPN providers. Users should only install VPN apps from Google Play and read app reviews before downloading. One highly rated VPN app is F-Secure Freedome VPN, which blocks all traffic from a pre-defined list of Web and mobile-tracking domains, including Google Ads, DoubleClick, Google Tag, and comScore.

E-mail: Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.linkedin.com/in/johnsimek
http://www.senseient.com

John W. Simek
Vice President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Your IT Consultant

Majority of Android VPNs not Secure

Subscribe for More!

Popular Categories

Listen to the Podcast

Disclaimer