There’s a misnomer about VPN networks and what they really do. Claims that they can make you “completely anonymous” online are almost always inaccurate, even if they may increase your privacy to some degree. Unfortunately, the Commonwealth Scientific and Industrial Research Organisation (CSIRO), in partnership with the University of New South Wales and UC Berkley, have learned of greater issues than that.
In CSIRO’s research paper ‘An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps,’ the team investigated 283 Android VPN apps to explore their impact on user privacy and security. Here are some of the highlights of what they learned about the apps:
- 18% do not encrypt traffic at all
- 84% leak user traffic
- 2 out of 3 use third-party tracking libraries
- 38% reveal a malware or malvertising presence
- More than 80 percent request sensitive data such as user accounts and text messages
- Less than 1% of app reviews mention security or privacy concerns
Based on these findings, it’s estimated that 4 out of 5 of Android VPN apps will ask for sensitive permissions, 4 out of 5 contain malware, 2 out of 5 aren’t even encrypted and some may be seeking to access your data to sell to third parties.
“The very reason users install these apps — to protect their data — is the very function they are not performing and these apps have been installed by tens of millions of users,” said CSIRO in the paper.
Below is the researchers’ list of what were considered the most worrisome VPNs of those tested, five of which have been taken off the Play Store since the paper was published.
- OkVpn [removed]
- EasyVpn [removed]
- SuperVPN [removed]
- HatVPN [removed]
- sFly Network Booster [removed]
- Archie VPN
- One Click
- Fast Secure Payment
The apps in the list were those with the highest (worst) AV score, which tests apps for 5 different type of malware: Adware, Trojan, Malvertising, Riskware and Spyware. All of the apps excluding SuperVPN had a Play Store rating of 4.0 or more at the time the research was published.
Finding a trustworthy VPN
Professor and Senior Principal Researcher in Online Privacy and Security at CSIRO, Dali Kaafar advises that those looking for a VPN app should shop around and compare functionality between prospective products. Professor Kaafar also suggests that consumers look closely at the app’s permissions to ensure that it’s not asking for anything irrelevant to the VPN service itself.
What’s more, CSIRO has its own Android app called PrivMetrics which can assess the security of your installed apps. You can download that from Google Play for free here.
It’s also recommended that you target apps from reputable developers or those that have a history of producing well-regarded security or privacy products.
CSIRO says that reconsidering how the BIND_VPN_SERVICE app permission works could help reduce security problems with VPNs, as this currently allows the VPN app to intercept any and all traffic from a device. In other words, that permission grants a lot of power to VPNs which could be (and often is) misused.
However, CSIRO also suggests that part of the problem lies in the lack of understanding of consumers and reviewers.
“A large fraction of mobile users may however lack the necessary technical background to fully understand the potential implications,” said CSIRO. “Our analysis of the user reviews and the ratings for VPN apps suggested that the vast majority of users remain unaware of such practices even when considering relatively popular apps.”
We’ll do our best to keep you informed of the safest Android VPN products going forward. Let us know in the comments if you have any further questions or concerns in the meantime.