An alarming number of Android VPNs are providing a decidedly false sense of security to users, especially those living in areas where communication is censored or technology is crucial to the privacy and physical security.
A study published recently identified a number of shortcomings common to high percentages of 238 mobile VPN apps analyzed by a handful of researchers.
Users downloading and installing these apps expecting secure communication and connections to private networks are instead using apps that lack encryption, are infected with malware, intercept TLS traffic, track user activity, and manipulate HTTP traffic. “Our experiments reveal several instances of VPN apps that expose users to serious privacy and security vulnerabilities, such as use of insecure VPN tunneling protocols, as well as IPv6 and DNS traffic leakage,” said researchers Muhammad Ikram, Narseo Vallina-Rodriguez, Suranga Seneviratne, Mohamed Ali Kaafar and Vern Paxson, representing Australia’s Commonwealth Scientific and Industrial Research Organization (AU-CSIRO), the University of South Wales, and the International Computer Science Institute at the University of California at Berkeley.
BIND_VPN_SERVICE is used by developers in the creation of clients to intercept, manipulate and forward traffic to a remote proxy or VPN server, or to implement proxies in localhost, the researchers said. It’s a powerful Android service that can be easily abused, depending on intent. The paper describes how the Android VPN API exposes a network interface to a requesting app and routes traffic from a phone or tablet to the requesting app. Developers must declare access to the BIND_VPN_SERVICE in the AndroidManifest file, but to only one app at a time. The potential for abuse is high any time traffic is re-routed; Android counters this with two warnings informing the user that a virtual network interface has been created and remains active.
“However, average mobile users may not fully understand, possibly due to the lack of technical background, the consequences of allowing a third-party app to read, block and/or modify their traffic,” the researchers said. The researchers also note that high-end enterprise offerings from Cisco (AnyConnect) and Juniper (Junos), as well as mobile device management products, are built on top of the BIND_VPN_SERVICE feature.
In the meantime, the paper quantifies the percentage of apps lacking important security features. For example, 18% of VPN apps studied implemented tunneling protocols without encryption despite making users privacy promises. “Both the lack of strong encryption and traffic leakages can ease online tracking activities performed by inpath middleboxes (e.g., commercial WiFi APs harvesting user’s data) and by surveillance agencies,” the researchers wrote.
The researchers also found malware detected by VirusTotal on 38 percent of the apps they looked at. A lesser percentage (16 percent) forward traffic through peers in the network rather than through a host, raising trust and privacy issues, they said. The same percentage of apps use proxies that manipulate HTTP traffic by injecting and removing headers or doing image transcoding, the paper said.
Most of the apps (75 percent) allow for third-party tracking of user activity and request permission to access account information and text messages (82 percent). Finally, the researchers said that four apps analyzed compromise users’ root store and actively intercept TLS interception in flight.
“The ability of the BIND_VPN_SERVICE permission to break Android’s sandboxing and the naive perception that most users have about third-party VPN apps suggest that it is urging to re-consider Android’s VPN permission model to increase the control over VPN clients,” the researchers concluded. “Our analysis of the user reviews and the ratings for VPN apps suggested that the vast majority of users remain unaware of such practices even when considering relatively popular apps.”