Android users looking for a way to improve their privacy may be inadvertently compromising it. A recent study found that many free Android VPNs are not as private as they claim to be and instead sell user data to third-party companies.
This means that even if you’re using a VPN app to protect your privacy, you may not be getting the level of protection you expect. So what’s the best way to stay safe online? Read on to find out.
VPNs with flaws
Researchers assessed around 283 free Android VPN apps and found several issues with native platform support for VPN clients using the BIND_VPN_SERVICE.
Android VPN customers, especially those who reside in regions where communication is restricted or where technology is essential to one’s privacy and physical protection, are being given an alarmingly false sense of security by many of these services.
A study by researchers reported that 238 mobile VPN apps had many flaws. For example, instead of utilizing applications that have no encryption, are infested with malware, track user behavior, intercept TLS traffic and alter HTTP traffic.
Therefore, users who download and install such programs in the hopes of online security are actually jeopardizing it.
Researchers from Australia’s Commonwealth Scientific and Industrial Research Organization (AU-CSIRO), the University of South Wales, and the International Telecommunication Union (ITU), said their experiments discovered many VPN apps that expose users to critical privacy and security vulnerabilities, like using insecure VPN tunneling protocols and IPv.
The article explains how the Android VPN API sends traffic from a phone or tablet to the asking app and presents a network interface to a requesting app. In the AndroidManifest file, developers must grant access to the BIND_VPN_SERVICE, but only one app at a time.
Any time data is rerouted, there is a considerable risk of misuse. Android combats this by notifying the user twice that a virtual network interface has been built and is now active.
The researchers cautioned that typical mobile users might not fully comprehend the implications of permitting a third-party app to read, block, and/or manipulate their traffic, possibly due to a lack of technological expertise.
The researchers also pointed out that the BIND_VPN_SERVICE capability provides the foundation for high-end enterprise products like Cisco (AnyConnect) and Juniper (Junos), as well as mobile device management tools.
The report calculates the proportion of apps lacking critical security features in the interim. For instance, despite promising users anonymity, 18% of the VPN apps examined used tunneling protocols without encryption.
According to the researchers, a lack of robust encryption and traffic leaks may be exploited for online tracking operations executed by in-path middleboxes (such as spying agencies and commercial Wi-Fi APs recording user data).
Additionally, the researchers discovered malware on 38% of the programs they examined that VirusTotal had flagged. They claimed that a smaller fraction (16%) of networks pass traffic through peers rather than a host, posing trust and privacy concerns.
According to the report, many apps employ proxies that alter HTTP traffic by adding and removing headers or re-encoding images.
The researchers noted that 75% of the apps permit third parties to track user activity and ask for authorization to access account information and/or text messages (82 percent). Finally, the researchers claimed that four apps they examined actively intercept TLS traffic and breach users’ root stores.
The researchers concluded that it is imperative to reconsider Android’s VPN permission model to increase control over VPN clients.
Their examination of the ratings and reviews for VPN apps revealed that even when considering very well-liked apps, most users are still unaware of such methods.
If you’re looking for an Android VPN app, be sure to do your research first. Stick with well-known, reputable providers, and read the reviews before downloading anything.