Exposed and Vulnerable: A Common Thread among Android VPN UsersFor their study (PDF), the researchers searched on Google's Play Store for VPN-related apps. They identified a total of 1,488,811 free and paid potential candidates. Next, they obtained each app's metadata, downloaded the app's executable, and analyzed its source code and AndroidManifest file. This file is crucial. App users leverage it to request either custom VPN permissions or BIND_VPN_SERVICE, Android's official VPN permission which exposes an app to and routes all a device's traffic through a virtual network of servers. Overall, the team identified 283 free Android apps that requested the VPN permission in their AndroidManifest files. Many of those apps exhibited some startling behavior that jeopardized users' privacy and security. Here's a sampling of what the researchers found: Lack of Encryption Nearly one-fifth (18 percent) of the apps didn't use encryption with their tunneling protocols. When coupled with the fact that 84 percent and 66 percent of the apps didn't tunnel IPv6 and DNS traffic respectively, it becomes clear that many Android VPNs failed to achieve security and anonymity for their users. If anything, they lowered the difficulty of government agents and others abusing those apps to track users' online movements. Trackers 67 percent of the free apps analyzed embedded at least one third-party tracking library in the source code. To a certain extent, these apps relied on advertising and revenue generated from analytics services for funding. By comparison, 65 percent of premium (paid) VPNs apps didn't come with at least one embedded tracking library at the time of the study.
ConclusionMost if not all the VPN apps analyzed by the researchers claim they're designed to uphold users' anonymity and security. Yet this research project illustrates many of those apps failed in that endeavor. In some cases, they exposed users to additional risk. Following the conclusion of their study, the researchers shared their findings with several of the VPN app developers. Some made an effort to fix the issues affecting their creations. Dali Kaafar, professor and senior principal researcher in online privacy and security at CSIRO, explains in a blog post:
"Several of them [app developers] took actions to fix the identified vulnerabilities. Some apps were even removed from the Google Play Store."This study illustrates how users need to be careful when installing VPN apps. They should read reviews of an app they're considering downloading. Additionally, they should never download an app from outside the Google Play Store, especially a suspicious mobile VPN service that requests an unnecessary amount of permissions.