Majority of Android VPNs can’t be trusted to make users more secure

[Jack]

Over the past half-decade, a growing number of ordinary people have come to regard virtual private networking software as an essential protection against all-too-easy attacks that intercept sensitive data or inject malicious code into incoming traffic. Now, a comprehensive study of almost 300 VPN apps downloaded by millions of Android users from Google's official Play Market finds that the vast majority of them can't be fully trusted. Some of them don't work at all.

According to a research paper that analyzed the source-code and network behavior of 283 VPN apps for Android:

• 18 percent didn't encrypt traffic at all, a failure that left users wide open to man-in-the-middle attacks when connected to Wi-Fi hotspots or other types of unsecured networks
• 16 percent injected code into users' Web traffic to accomplish a variety of objectives, such as image transcoding, which is often intended to make graphic files load more quickly. Two of the apps injected JavaScript code that delivered ads and tracked user behavior. JavaScript is a powerful programming language that can easily be used maliciously
• 84 percent leaked traffic based on the next-generation IPv6 internet protocol, and 66 percent don't stop the spilling of domain name system-related data, again leaving that data vulnerable to monitoring or manipulation
• Of the 67 percent of VPN products that specifically listed enhanced privacy as a benefit, 75 percent of them used third-party tracking libraries to monitor users' online activities. 82 percent required user permissions to sensitive resources such as user accounts and text messages
• 38 percent contained code that was classified as malicious by VirusTotal, a Google-owned service that aggregates the scanning capabilities of more than 100 antivirus tools
• Four of the apps installed digital certificates that caused the apps to intercept and decrypt transport layer security traffic sent between the phones and encrypted websites

The researchers—from Australia's Commonwealth Scientific and Industrial Research Organization, the University of South Wales, and the University of California at Berkeley—wrote in their report:

Our results show that—in spite of the promises for privacy, security, and anonymity given by the majority of VPN apps—millions of users may be unawarely subject to poor security guarantees and abusive practices inflicted by VPN apps... Despite the fact that Android VPN-enabled apps are being installed by millions of mobile users worldwide, their operational transparency and their possible impact on user's privacy and security remains terra incognita even for tech-savvy users.​

Read more: Majority of Android VPNs can’t be trusted to make users more secure

 

[Deleted member 2913]

There are so so so many VPN apps in Google Play...it gives the feeling of many fake apps in there & many might be fake or simply useless i.e not doing the core job of a VPN.

 

[sudo -i]

An Android VPN is only as good as that VPN's PC services. If a VPN service is exclusively for Android, chances are it isn't doing what it's supposed to do.

 

[Bryan Lam]

An Android VPN is only as good as that VPN's PC services. If a VPN service is exclusively for Android, chances are it isn't doing what it's supposed to do.

Not really, it kinda relays to the fact that it's ANDROID. It's an operating system built for a mobile device. It won't have all available features that a PC has, it's limited. Not everything such as encryption will be available unless a massive use of resources is considered but that would be too extensive for any user.

 

[sudo -i]

Not really, it kinda relays to the fact that it's ANDROID. It's an operating system built for a mobile device. It won't have all available features that a PC has, it's limited. Not everything such as encryption will be available unless a massive use of resources is considered but that would be too extensive for any user.

What I meant is that, let's say a VPN company emerges out of the blue with an ANDROID-only service, this is an automatic red flag. I firmly believe that trusted VPN companies should have a well-established PC VPN service before offering one for Android. Offering one for JUST Android is a bad sign.

Edit: Windscribe comes to mind as a good example. They have established a great PC VPN, and are just now beginning their transition into mobile apps. It shouldn't be the other way around.

 

[Bryan Lam]

What I meant is that, let's say a VPN company emerges out of the blue with an ANDROID-only service, this is an automatic red flag. I firmly believe that trusted VPN companies should have a well-established PC VPN service before offering one for Android. Offering one for JUST Android is a bad sign.

Edit: Windscribe comes to mind as a good example. They have established a great PC VPN, and are just now beginning their transition into mobile apps. It shouldn't be the other way around.

Well said

 

[tim one]

Bad news.
I've often experienced VPN to protect my device connection when connected to public or open networks and my IP address was actually changed. For what I can advise, based on my personal experience, Avast Securline VPN, HotSpot Shield, Cyberghost, Opera VPN are reliable apps.

 

[jogs]

Google play store is full of so many free and commercial apps, providing all types of services. I always wonder with so many apps doing same kind of work how does all of them make money. Most I think make money from collecting the user's data. I feel Android mobile has become more headache than the PC. Mobile is something that you carry with you always, it shows your location, it shows whom you're calling and chatting with and what not. You are unknowingly carrying a tracking device with you.

 

[509322]

There are a many questionable apps on Google Play Store - not just VPN apps.

 

[tim one]

There are a many questionable apps on Google Play Store - not just VPN apps.

Many users, perhaps almost all, do not know the app permissions and often malicious apps have suspicious permissions.
Sure, not all of the apps on Google Play are safe, even Apple store is not 100% secure, in spite of the rigid control. And the popularity sometimes (as in this case) depends on the time it takes to discover that an app is a malware. Putting it all together, however, it is already something.
AVs are not a guarantee (better not to have a false sense of security) but they do help, most are suites that can weigh down a little the device and may be more or less useful.

 

[Wave]

Avast Securline VPN, HotSpot Shield, Cyberghost, Opera VPN are reliable

I agree! I use CyberGhost on my mobile device and it works well and really does change the IP address, no fake functionality there. But then again, it's the same situation as @sudo -i was saying... Because CyberGhost are respected on PC as well and own a great mobile app, but it didn't happen the other way around first!