Virtual private networks are designed to protect your privacy and security, but a research team has found that VPN apps can present their own risks.
The basic idea of a VPN is sound. It encrypts traffic between your device and a remote point – traditionally on your premises, but increasingly a server run by a commercial service provider. The idea is to stop other people 'sniffing' your Wi-Fi traffic (especially when using a public network), to stop your ISP from seeing what you're doing and to mask your geographic location.
But can you trust the VPN services and apps?
Not entirely, according to a team of researchers from CSIRO's Data61 operation, the University of New South Wales, the International Computer Science Institute and the University of California Berkeley, which examined 283 free Android apps that use the Android VPN permission.
The project revealed "several instances of VPN apps that expose users to serious privacy and security vulnerabilities."
- 38 percent include malware or malvertising
- 84 percent leak users' traffic
- 18 percent do not encrypt any of its users' traffic
- 75 percent use third party tracking libraries
- More than 80 percent request access to sensitive data such as user accounts and text messages.
Further, 16 percent work on a peer-forwarding basis, which means your data doesn't go back onto the public internet from a server operated by a company you've chosen to trust but rather via an anonymous stranger who may then be able to examine your traffic.
Actively injecting code
They also found three apps that "selectively intercept traffic to specific online services like social networks, banking, e-commerce sites, email and IM services and analytics services."
"Our results show that – in spite of the promises for privacy, security and anonymity given by the majority of VPN apps – millions of users may be unawarely subject to poor security guarantees and abusive practices inflicted by VPN apps."
The analysed applications were selected on the basis that they request the VPN permission which "allows the requesting app to intercept, manipulate and forward all user’s traffic." Two-thirds of them were categorised as VPN clients, with the remainder falling into groups such as enterprise apps, traffic optimisers, antivirus and so on.
Worryingly, but perhaps not surprisingly, less than one percent of negative reviews on Google Play expressed any security or privacy concerns about these apps.
For example, a certain app has been installed more than 5 million times, and more than 84,000 reviewers had given it an average rating of 4.2 out of five, even though VirusTotal indicates it includes malware. As the researchers put it, "The average mobile user rates VPN apps positively even when they have malware presence."
Another interesting data point is that more than a fifth of the apps analysed by the researchers had vanished from Google Play by the time the report was finalised, "either as a result of Google’s vetting process, user complaints, or due to developer decisions."
It's important to note that paid VPN apps were not included in the study, and among premium VPN apps – those that require payment of a subscription via in-app purchase – only 20 (approximately one-seventh) were analysed "as most of them are full MDM solutions which require dedicated IT and cloud support."
The old saying "there ain't no such thing as a free lunch" seems to apply here – or to use a more contemporary aphorism, "if you're not the customer, you're the product."
Apart from avoiding geoblocks, the main reason for using a VPN is to improve your security and privacy. Providing a VPN costs money, so it makes sense to accept that you need to pay for such a service, and then to choose a provider that you know and trust.
It would be a very different kind of research, but what we would like to see is an independent audit of commercial VPN services. By their nature, they have access to your traffic as it emerges from their servers, so it would be reassuring to know that their practices and procedures are in line with their stated policies.
For more details, see An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps by Muhammad Ikram, Narseo Vallina-Rodriguez, Suranga Seneviratne, Mohamed Ali Kaafar and Vern Paxson.