Your favourite VPN app is harvesting your personal information

An analysis of hundreds of Android virtual private network (VPN) apps has found that 18 per cent do not encrypt users’ traffic and 38 per cent inject malware.

The analysis of 283 Android apps that use the Android VPN permission, by researchers from CSIRO’s Data61, the University of New South Wales and the University of Berkeley, also found that 82 per cent of the apps requested to access sensitive data such as user accounts and text messages.

“Our results show that – in spite of the promises for privacy, security and anonymity given by the majority of VPN apps – millions of users may be unwarily subject to poor security guarantees and abusive practices inflicted by VPN apps,” the paper, published in November, states.

Even though 67 per cent of the identified VPN apps offered services to enhance online privacy and security, 75 per cent of them were found to use third-party tracking libraries.

Two VPN apps (HotspotShield and WiFi Protector VPN) were found to be actively injecting JavaScript code on user’s traffic for advertisement and tracking purposes and the HotspotShield by Anchorfree app redirected popular e-commerce site traffic to external advertising partners.

“Many apps may legitimately use the VPN permission to offer some form of online anonymity or to enable access to censored content. However, malicious app developers may abuse it to harvest users’ personal information,” the researchers said. “According to the number of installs of these apps, millions of users appear to trust VPN apps despite their potential maliciousness.”

Unsurprisingly, the hosting infrastructure of VPN apps is concentrated in the US. However, the researchers suggested that up to 16 per cent of the apps they analysed forwarded traffic through other users in a peer-forwarding fashion rather than using machines in the cloud.

“This forwarding model raises a number of trust, security, and privacy concerns for participating users,” researchers said.

Terra incognita

Despite the worrying findings, an analysis of user reviews in the Google Play store found that a quarter of the apps received a four star or higher rating, despite the inherent potential for malicious activity. Only a marginal number of users publicly raised any security or privacy concerns in their reviews.

Android’s official documentation highlights the serious security concerns that the VPN permission raises: as it allows an app to intercept and take full control over a user’s traffic.

Users, however, either don’t care or are unaware of the implications: less than 1 per cent had any security or privacy concerns about the apps.

“A large fraction of mobile users may however lack the necessary technical background to fully understand the potential implications,” researchers suggested. “Despite the fact that Android VPN-enabled apps are being installed by millions of mobile users worldwide, their operational transparency and their possible impact on user’s privacy and security remains ‘terra incognita’ even for tech-savvy users.”

Professor Dali Kaafar, CSIRO senior principal researcher in online privacy and security and the paper’s co-author, urged VPN users to read the small print and scrutinise what permissions they gave away.

“Always pay attention to the permissions requested by apps that you download,” he said. “This study shows that VPN app users, in particular, should take the time to learn about how serious the issues with these apps are and the significant risks they are taking using these services.”

Sorry, not sorry

The research team contacted the developers behind each app and shared their findings. The responses were mixed. Many didn’t respond, while some of those that did confirmed the findings. One argued that embedding less-popular tracking libraries was “the best choice to monetise the app”.

“Several of them took actions to fix the identified vulnerabilities. Some apps were even removed from the Google Play Store,” Kaafar said.