If you have been using a Virtual Private Network, or VPN, for your Android smartphone, you could be among those people who consider this as an indispensable protection against hackers trying to compromise confidential data or inject malware into incoming traffic. But, if findings of a recent study are to believed, trusting VPNs blindly could prove costly to users as majority of such products fail to encrypt while some of them don’t perform anything whatsoever.
I know how convenient it is to use the public network at the Starbucks while having your favorite Cappuccino, because you have your reliable VPN app installed on your smartphone. You believe that your VPN app will keep your sensitive information encrypted from all the snooping eyes. However, a group of researchers, who analyzed the source-code and network behavior of 283 VPN apps for Android, says the majority of such products downloaded by millions of users from Google’s Play Store are not trustworthy.
Here’re the main findings of the comprehensive analysis:
- Although 67 percent of the identified VPN Android apps promised services to enhance online privacy and security, 75 percent of those apps used third-party tracking libraries to monitor online activities of users while 82 percent requested user permissions to access sensitive resources like user accounts and text messages.
- Of the 37 percent of the analyzed VPN apps that have over 500,000 installs, 38 percent of them contained code that was classified as malicious by VirusTotal, a Google-owned service that aggregates many antivirus products and online scan engines to check for undetected viruses.
- 18 percent of the apps didn’t encrypt traffic at all, leaving users vulnerable to hacking when connected to unsecured networks.
- Approximately 84 percent of the VPN apps were responsible for leaking traffic based on IPv6 internet protocol while 66 percent failed to stop leakage of DNS-based traffic, making online tracking activities easier to perform.
- 16 percent of the apps deployed codes that modified user’s Web traffic to accomplish various objectives, such as image transcoding that helps graphic files load faster.
- The researcher detected four VPN apps that used digital certificates to intercept and decrypt Transport Layer Security (TLS) traffic between the devices and encrypted websites.
Here’s an excerpt from the report, produced by the researchers from Australia’s Commonwealth Scientific and Industrial Research Organization, the University of South Wales, and the University of California at Berkeley:
Our results show that — in spite of the promises for privacy, security and anonymity given by the majority of VPN apps — millions of users may be unawarely subject to poor security guarantees and abusive practices inflicted by VPN apps… Despite the fact that Android VPN-enabled apps are being installed by millions of mobile users worldwide, their operational transparency and their possible impact on user’s privacy and security remains “terra incognita” even for tech-savvy users.
So if you are using a VPN app on your Android smartphone, wake up. Take off the blindfold that you’ve been wearing and thoroughly review your app’s performance before continue using it.