Research warns of risks associated with Android VPN apps

[Parsh]

Some common notions about the security and effectiveness of the many VPN products available on Google Play Store have been debunked by CSIRO (Commonwealth Scientific and Industrial Research Organization) recently.
VPNs are largely believed to provide all-round privacy protection through various techniques and by deploying their servers for a masked effect.
However, 283 VPN apps scrutinized by the researchers have brought the following result:

• 18% do not encrypt traffic at all
• 84% leak user traffic
• 2 out of 3 use third-party tracking libraries
• 38% reveal a malware or malvertising presence
• More than 80% request sensitive data such as user accounts and text messages
• Less than 1% of app reviews mention security or privacy concerns

The large number of such apps freely available on Play Store and the lack of adequate knowledge about the apps, while selecting an appropriate product to trust one's identity with, amplifies the security concerns.

CSIRO suggests that reconsidering how the BIND_VPN_SERVICE app permission works could help reduce security problems with VPN and limit the power of data interception by these apps.

To sum up, one should make informed decisions and beware of the practices of such service providers (mainly the free ones) since the reviews of even some famous VPN apps cannot be fully trusted.
Check out the report here.

 

[Ink]

There's a lot of VPN apps on the Google Play Store, as you can easily see in the screenshots.
Question - Advice for Novice users looking for a VPN on Android?

 

[Solarquest]

@Parsh,
Thank you for sharing! Very interesting reading.
Unfortunately way worse than I expected.

Read the full report here.

 

[Parsh]

There's a lot of VPN apps on the Google Play Store, as you can easily see in the screenshots.
Question - Advice for Novice users looking for a VPN on Android?

A typical Android store scenario! Tons of apps of a single class.
Your mention of known security vendors is worth discussing. It's mostly better to go with their products than to trust the many new aspiring VPN Providers etc. who may or may not care about the A to Z of customer privacy.

 

[Parsh]

@Parsh,
Thank you for sharing! Very interesting reading.
Unfortunately way worse than I expected.

This is indeed saddening! This however won't make the whole lot of VPN apps kinda rogue. Many of us are well aware of the famous and trustable VPN providers, though most of them are paid ones
They also included the names of many offenders in report, some already removed from the Play store.
What disappoints me more is that the list includes a few VPN apps made quite famous by choice, in the XDA-developers community.

 

[Solarquest]

It would be extremely useful to get all infos on all 283 tested VPNs....Can someone find it?

 

[Parsh]

It would be extremely useful to get all infos on all 283 tested VPNs....Can someone find it?

Unfortunately there's only as much info as one can find in the report linked.
The top apps in different categories for eg.

• Apps with embedded trackers
• Apps with VT detections >5
• Malicious apps as per user reviews etc.

are tabulated in the report.

But reviewing this can atleast help us keep away from potential badware apps and be aware of the warning factors.

 

[Solarquest]

What are the best ones, the few ones we should trust?

 

[Parsh]

What are the best ones, the few ones we should trust?

Pardon me for the late reply
I managed to install and check up the details & permissions some famous apps demand, and I've discarded some, that appeared to be too vague from Play Store details.

PREMIUM/FREEMIUM APPS

1. Express VPN (requires no special permissions except WiFi information) (AES-256 bit) (OpenVPN)
2. NordVPN (storage permission) (logless connection, I'm not sure if others follow this) (Double VPN)
3. SurfEasy - a part of Opera (storage, telephone permissions) (though this one explains all the permissions) (no logging)
4. TunnelBear (no special permissions)
5. Avira Phantom VPN (Contact, Location, telephone permissions.. Needs tons more permissions)

Spoiler: SurfEasy permissions DECLARATION

FREE APPS

1. VPN+Tor+Cloud Globus VPN (no special permissions) (Full net attack protection, Cloud VPN / IPSEC VPN / OpenVPN / VPN+TOR bundle)
2. Orbot (most of all know about it) (essentially proxy, no special permissions)
3. Opera VPN (storage permission, has Ads)
4. Touch VPN (Contact, Location, telephone permissions)

Most of them, additionally, only need WiFi info and device ID (example explanation in spoiler).

Well, this is a small input from details and analysis on my device. You will find some elaborated facts on the methodologies of some good VPN apps in this thread by @Spawn. Useful enough!

 

[Solarquest]

VPN on Android means 'Voyeuristic Peeper Network' in many cases

......
......

Before picking a VPN provider/app, make sure you do some research https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf … – or consider Algo https://github.com/trailofbits/algo …
......
......
The researchers' paper doesn't list all the apps it tried, which is a little frustrating. However, it does call out EasyOvpn, VPN Free, Tigervpns, DNSet, CM Data Manager, Rocket VPN, Globus VPN, Spotflux VPN and CyberGhost, as "malicious or intrusive." OkVpn, EasyVpn, SuperVPN, Betternet, CrossVpn, Archie VPN, HatVPN, sFly Network Booster, One Click VPN, and Fast Secure Payment, are also flagged up as containing malware in the VirusTotal database.

Open Gate, VPN Gate, and VyprVPN get a slap for using home broadband connections as egress points, and Tigervpns, StrongVPN, and HideMyAss raised suspicions after exogenous traffic was spotted from them.

Finally, we've heard nice things about Algo, if you're looking to set up your own VPN.

 

[Parsh]

VPN on Android means 'Voyeuristic Peeper Network' in many cases

......
......

Before picking a VPN provider/app, make sure you do some research https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf … – or consider Algo https://github.com/trailofbits/algo …
......
......
The researchers' paper doesn't list all the apps it tried, which is a little frustrating. However, it does call out EasyOvpn, VPN Free, Tigervpns, DNSet, CM Data Manager, Rocket VPN, Globus VPN, Spotflux VPN and CyberGhost, as "malicious or intrusive." OkVpn, EasyVpn, SuperVPN, Betternet, CrossVpn, Archie VPN, HatVPN, sFly Network Booster, One Click VPN, and Fast Secure Payment, are also flagged up as containing malware in the VirusTotal database.

Open Gate, VPN Gate, and VyprVPN get a slap for using home broadband connections as egress points, and Tigervpns, StrongVPN, and HideMyAss raised suspicions after exogenous traffic was spotted from them.

Finally, we've heard nice things about Algo, if you're looking to set up your own VPN.

Ofcourse these apps cannot be trusted easily, yet the report mainly mentions about the possible malware or inappropriate VPN candidates.

What about the reliable ones? It just gets difficult to choose after facing the fact that such ways of exploiting privacy and security loopholes are being used even in cases of apps that have millions of downloads on the biggest Smartphone platform.

Regarding Algo, we can have a look at it. Have you ever given it a spin?

 

[Solarquest]

No, not yet...

 

[Parsh]

No, not yet...

Which VPN do you actively use while testing AVs on your VM? Just wanna get an idea about that.

 

[sudo -i]

@Parsh,
Read the full report here.

Thanks for posting a link to the original independent research. I really hope everyone will start using better practices in the News section and give original sources rather than third-party sites.