Many Android VPN-enabled apps do not protect user traffic

Android users should not trust virtual private networking (VPN) enabled apps to protect them, according to a paper published by Australian and United States researchers.

A project [pdf] funded by the CSIRO's Data61 and the US National Science Foundation analysed 283 free Android apps on Google Play that use the operating system's native support for creating VPNs, a feature introduced in 2011.

Such VPN-enabled apps are used to bypass censorship, to access geo-blocked content, and for security and privacy purposes.

However, the analysis by researchers from Data61, University of New South Wales, the International Computer Science Institute, and University of California Berkeley show that many apps expose user data and in some cases, collect and manipulate their traffic.

"Our results show that — in spite of the promises for privacy, security and anonymity given by the majority of VPN apps — millions of users may be unawarely subject to poor security guarantees and abusive practices inflicted by VPN apps," the researchers said.

Furthermore, the researchers found that 38 percent of the 283 apps tested contain "some malware presence" when run through Google's VirusTotal scanning service.

EasyOVPN, VPN Free, and TigerVPN have millions of installs on Google Play, and test positive for malware, the researchers found.

Over two-thirds of the VPN-enabled apps promise to enhance online privacy and security, yet three quarters of the programs tested use third-party user tracking libraries, and 82 percent request permission to access sensitive data including accounts and text messages.

Traffic handling by the apps was also found to be insecure: 18 percent of the apps set up traffic tunnels across the internet that weren't encrypted, the researchers found.

Lack of support, misconfigurations, and developer errors meant traffic flowing over the new IPV6 went unprotected in 84 percent of the analysed apps.

The majority of VPN-enabled apps did not tunnel domain name system (DNS) lookups, which could reveal which sites users visit.

Other problems found by the researchers include traffic interception, with users not being told where the VPN termination point the apps connect to is hosted.

A number of apps deploy non-transparent proxies that modifiy web traffic by injecting and removing protocol headers, or use image transcoding. Two VPN apps were found to actively inject Javascript code into users' traffic to serve up ads and track people, the researchers said.

Three apps that promise traffic acceleration would intercept transport layer security (TLS) when users visit social networks, bank sites, online retailers, and instant messaging services, 

The researchers tested VPN clients, apps aimed at enterprise users, traffic optimisers and communications tools, traffic filters and loggers, and an antivirus as well as an anonymising app for The Onion Router (TOR) network.

Of the 283 VPN apps analysed, the researchers noted that as of preparing the final manuscript of their paper, 49 programs had disappeared from Google Play. This was either due to Google's vetting process for the Play store, user complaints or developer decisions, the researchers said.