If you’re using a VPN app to secure your smartphone — maybe to download torrents, maybe to make your online banking a little more safe — then chances are, it’s not doing what it pretends to. A paper co-authored by CSIRO’s data science arm examined nearly 300 Android VPN apps and found that almost all of them leak some kind of user traffic data.
Research scientists Dali Kaafar, Suranga Seneviratne and Muhammad Ikram from Data61 contributed to the report alongside Narseo Vallina-Rodriguez from ICSI and Vern Paxson from UC Berkeley. The report, which examined 283 apps from the Google Play Store that use Android’s integrated virtual private network permission, found some pretty stark results: 18 per cent of apps don’t encrypt any of the traffic that travels through them, and a full 84 per cent didn’t disguise DNS traffic or support IPv6 tunnelling — more secure than the widely used IPv4.
38 per cent of all Android VPN apps surveyed by the CSIRO team were found to contain some kind of malware that infected users’ phones, over 80 per cent ask permission to access users’ text messages or Google account data, and 16 per cent injected ads or headers — including Javascript ads and redirects to advertising-supported online shopping — into VPN users’ seemingly secure sessions.
What’s almost worse is the fact that barely 1 per cent of VPN reviews — “a marginal number”, according to the report — on the Google Play Store mention any kind of security or privacy concerns, suggesting people using the apps just don’t know how insecure their communications actually are.
CSIRO actually has its own app, PrivMetrics, that ranks apps on your Android phone in terms of their privacy risk level and the permissions that they ask for. It’ll also suggest more secure alternatives to your installed apps if available.
The takeaway from this is that you should always be sceptical of claims made by apps, especially those purporting to be entirely secure. While you should be sceptical even of this recommendation, we’ve used Private Internet Access in the past and found it — on the surface at least — to be reliable and reputable. CSIRO’s Kaafar: “Always pay attention to the permissions requested by apps that you download. This study shows that VPN app users, in particular, should take the time to learn about how serious the issues with these apps are and the significant risks they are taking using these services.”
In other news, the Australian National University also just announced that renowned technologist, former vice president at Intel and the company’s first female Senior Fellow, Dr Genevieve Bell, has joined ANU in Canberra and will be collaborating with Data61 and CSIRO in the future. [CSIRO]