Android VPN Apps Do Not Protect User Traffic & Privacy 2017

Over the last few years, people have become more aware of the current threats like Ransomware, Malicious Apps, different forms of fraud etc. and this led them to use VPN’s which protects their privacy by encrypting user traffic. Unfortunately, their beliefs have been thrashed by a group of Researcher who proved Android VPN apps to be nothing more than a SHAM.

Android users should not trust virtual private networking (VPN) enabled apps to protect them, according to a paper published by Australian and United States researchers.
A Project funded by the CSIRO’s Data61 and the US National Science Foundation analyzed 283 free Android apps on Google Play that use the operating system’s native support for creating VPNs, a feature introduced in 2011.
The research was carried out by researchers from Data61, University of New South Wales, the International Computer Science Institute, and the University of California Berkeley show that many apps expose user data and in some cases, collect and manipulate their traffic.
According to their research paper that analyzed the source-code and network behavior of 283 VPN apps for Android, we have provided a comprehensive summary of their findings:

• 38% of analyzed  VPN clients contain some malware presence according to VirusTotal.
• 75% of them use third-party tracking libraries.
• 82% request permissions to access sensitive resources including user accounts and text messages.
• 18% of the apps do not mention the entity hosting the terminating VPN server.
• 16% of the analyzed apps may forward traffic through other participating users rather than use servers hosted in the cloud.
• 4% of the analyzed VPN apps use the VPN permission to implement localhost proxies to intercept and inspect user traffic locally (primarily for antivirus and traffic filtering purposes).
• 18% of VPN apps don’t encrypt traffic.
• 84% don’t tunnel IPv6 traffic.
• 66% don’t tunnel DNS traffic, exposing a user’s browsing habits, mainly due to misconfigurations or developer-induced errors.
• 16% of VPN apps deploy non-transparent proxies that modify user’s HTTP traffic by injecting and removing headers or performing techniques such as image transcoding.
• 2 VPN apps actively injected JavaScript code in user’s traffic for advertisement and tracking purpose.
• 1 VPN app redirected e-commerce traffic to an external advertising partner.
• 4 VPN clients compromised the device’s root-store by adding their own root certificates so they could intercept TLS encrypted traffic.
• 3 VPN apps claimed to provide traffic acceleration services, but they selectively intercepted traffic to specific online services like social networks, banking, e-commerce sites, email and IM services.

Quoting from the original report,

Our results show that — in spite of the promises for privacy, security and anonymity given by the majority of VPN apps — millions of users may be unawarely subject to poor security guarantees and abusive practices inflicted by VPN apps.

Below are some of the biggest blunders and offender Apps based on different behavior’s exhibited.

VPN Apps with Third-Party Trackers.

VPN Apps with a VirusTotal AV-rank ≥ 5

List of VPN apps, with 500K or more number of installs

“Despite the fact that Android VPN-enabled apps are being installed by millions of mobile users worldwide, their operational transparency and their possible impact on user’s privacy and security remains ‘terra incognita’ even for tech-savvy users,” the research team concludes