An alarming number of Android VPNs are providing a decidedly false sense of security to users, especially those living in areas where communication is censored or technology is crucial to the privacy and physical security.
A study published recently identified a number of shortcomings common to high percentages of 238 mobile VPN apps analyzed by a handful of researchers. Users downloading and installing these apps expecting secure communication and connections to private networks are instead using apps that lack encryption, are infected with malware, intercept TLS traffic, track user activity, and manipulate HTTP traffic.
“Our experiments reveal several instances of VPN apps that expose users to serious privacy and security vulnerabilities, such as use of insecure VPN tunneling protocols, as well as IPv6 and DNS traffic leakage,” said researchers Muhammad Ikram , Narseo Vallina-Rodriguez , Suranga Seneviratne , Mohamed Ali Kaafar and Vern Paxson, representing Australia’s Commonwealth Scientific and Industrial Research Organization (AU-CSIRO), the University of South Wales, and the International Computer Science Institute at the University of California at Berkeley. Their findings and methodology can be found in a paper: “An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps.”
“We also report on a number of apps actively performing TLS interception. Of particular concern are instances of apps that inject JavaScript programs for tracking, advertising, and for redirecting e-commerce traffic to external partners,” they said.
The researchers identified a core weakness commonly abused in many of the apps called the BIND_VPN_SERVICE, native platform support for VPN clients introduced by Google in 2011 in Android 4.0.
BIND_VPN_SERVICE is used by developers in the creation of clients to intercept, manipulate and forward traffic to a remote proxy or VPN server, or to implement proxies in localhost, the researchers said. It’s a powerful Android service that can be easily abused, depending on intent. The paper describes how the Android VPN API exposes a network interface to a requesting app and routes traffic from a phone or tablet to the requesting app. Developers must declare access to the BIND_VPN_SERVICE in the AndroidManifest file, but to only one app at a time. The potential for abuse is high any time traffic is re-routed; Android counters this with two warnings informing the user that a virtual network interface has been created and remains active.
“However, average mobile users may not fully understand, possibly due to the lack of technical background, the consequences of allowing a third-party app to read, block and/or modify their traffic,” the researchers said.
The researchers also note that high-end enterprise offerings from Cisco (AnyConnect) and Juniper (Junos), as well as mobile device management products, are built on top of the BIND_VPN_SERVICE feature.
In the meantime, the paper quantifies the percentage of apps lacking important security features. For example, 18% of VPN apps studied implemented tunneling protocols without encryption despite making users privacy promises.
“Both the lack of strong encryption and traffic leakages can ease online tracking activities performed by inpath middleboxes (e.g., commercial WiFi APs harvesting user’s data) and by surveillance agencies,” the researchers wrote.
The researchers also found malware detected by VirusTotal on 38 percent of the apps they looked at. A lesser percentage (16 percent) forward traffic through peers in the network rather than through a host, raising trust and privacy issues, they said.
The same percentage of apps use proxies that manipulate HTTP traffic by injecting and removing headers or doing image transcoding, the paper said.
“However, the artifacts implemented by VPN apps go beyond the typical features present in HTTP proxies,” the researchers wrote. “We identified two VPN apps actively injecting JavaScript code on user’s traffic for advertisement and tracking purposes and one of them redirects e-commerce traffic to external advertising partners.”
Most of the apps (75 percent) allow for third-party tracking of user activity and request permission to access account information and-or text messages (82 percent). Finally, the researchers said that four apps analyzed compromise users’ root store and actively intercept TLS interception in flight.
“The ability of the BIND_VPN_SERVICE permission to break Android’s sandboxing and the naive perception that most users have about third-party VPN apps suggest that it is urging to re-consider Android’s VPN permission model to increase the control over VPN clients,” the researchers concluded. “Our analysis of the user reviews and the ratings for VPN apps suggested that the vast majority of users remain unaware of such practices even when considering relatively popular apps.”