VPNs are not as private as the name suggests: CSIRO

[Batu69]

The CSIRO has found that the majority of Android VPN apps are not transparent enough about how a user's information and traffic is handled.

The Commonwealth Scientific and Industrial Research Organisation (CSIRO) has warned users of virtual private networks (VPN) that they may not be as secure as the name suggests.

 

The CSIRO recently looked at 283 Android VPN apps, investigating a wide range of security and privacy features to compile its report [PDF], An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps.

 

The research organisation found that 18 percent of the apps probed fail to encrypt users' traffic, with 38 percent injecting malware or malvertising straight into the user's device, and over 80 percent requesting access to sensitive data such as user accounts and text messages.

 

16 percent of the analysed VPN apps deploy non-transparent proxies that modify a user's HTTP traffic by injecting and removing headers or performing techniques such as image transcoding.

 

In addition, two VPN apps were found to be actively injecting JavaScript code on user traffic for advertisement and tracking purposes, with one redirecting ecommerce traffic to external advertising partners.

 

"The very reason users install these apps -- to protect their data -- is the very function they are not performing and these apps have been installed by tens of millions of users," the report says.

 

While most of the examined apps offer "some form of" online anonymity, the CSIRO said that some app developers deliberately sought to collect personal user information that could then be sold on to external partners.

 

Less than 1 percent of users, however, had any security or privacy concerns about these apps.

 

18 percent of VPN apps were found to implement tunneling technologies without encryption, while 84 percent and 66 percent of apps were leaking IPv6 and DNS traffic, respectively. As a result, these apps do not protect user traffic against in-path agents performing online surveillance or user tracking, the report explained.

 

The app descriptions on the Google Play Store, however, for 94 percent of the IPv6 and DNS leaking apps claim to provide privacy protection.

Before publishing its report, the CSIRO reached out to developers whose apps displayed security shortcomings, noting that several took action to fix vulnerabilities, with some apps removed from the Google Play Store as a result.

 

"Despite the fact that Android VPN-enabled apps are being installed by millions of mobile users worldwide, their operational transparency and their possible impact on a user's privacy and security remains 'terra incognita' even for tech-savvy users," the report concludes.

 

Article source

[steven36]

The original article

https://blog.csiro.au/tinker-torrentor-streamer-spy-vpn-privacy-alert/

 The part zdnet forgets to mention that you need to shop around and not install just anything.

Quote

 

Mr Kaafar encourages users to shop around, compare functionality and read app reviews before signing up to a particular VPN app to avoid falling for the illusion of privacy that some of these apps offer.

“Always pay attention to the permissions requested by apps that you download. This study shows that VPN app users, in particular, should take the time to learn about how serious the issues with these apps are and the significant risks they are taking using these services.”

 

Its just like desktop VPNs and browser VPNs many free ones spy on you  you need to buy a vpn  and stick to the ones you trust on desktop .  nothing is really free,  free most always means 30 day logs  are higher and/or  them selling you're data too 3rd parties. in exchange for using there bandwidth.  

[straycat19]

5 hours ago, steven36 said:

Its just like desktop VPNs and browser VPNs many free ones spy on you  you need to buy a vpn  and stick to the ones you trust on desktop .  nothing is really free,  free most always means 30 day logs  are higher and/or  them selling you're data too 3rd parties. in exchange for using there bandwidth.

 

And users need to realize that a VPN hides your IP address, it doesn't necessarily make you untraceable since a 'fingerprint' of your system could still be obtained and one slipup or a previous use without a VPN could result in your being tracked down.  It only took one time for Sabu of Lulzsec to forget to use his TOR connection for the FBI to nail him.  With the more modern tools they have today that can 'fingerprint' a system the ability to remain hidden is greatly reduced.  So you want to use the best security you can afford. You can obfuscate your fingerprint by using a Virtual Machine and creating a new OS install frequently. And nothing says you can't use a VM with a VPN and run a TOR browser.

[vissha]

Researchers Issue Security Warning Over Android VPN Apps

 

 

 

A research team has issued a warning over the lack of security in many VPN apps available from Google Play. A worrying 38% of the apps tested contained some kind of malware while 67% featured at least one third-party tracking library. More than eight out of ten leaked IPv6 traffic.

 

 

There was a time when the Internet was a fairly straightforward place to navigate, with basic software, basic websites and few major security issues. Over the years, however, things have drastically changed.

 

Many people now spend their entire lives connected to the web in some way, particularly via mobile devices and apps such as Facebook and the countless thousands of others now freely available online.

 

For some users, the idea of encrypting their traffic has become attractive, from both a security and anti-censorship standpoint. On the one hand people like the idea of private communications and on the other, encryption can enable people to bypass website blocks, wherever they may occur and for whatever reason.

 

As a result, millions are now turning to premium VPN packages from reputable companies. Others, however, prefer to use the all-in-one options available on Google’s Play store, but according to a new study, that could be a risky strategy.

 

A study by researchers at CSIRO’s Data 61, University of New South Wales, and UC Berkley, has found that hundreds of VPN apps available from Google Play presented significant security issues including malware, spyware, adware and data leaks.

 

Very often, users look at the number of downloads combined with the ‘star rating’ of apps to work out whether they’re getting a good product. However, the researchers found that among the 283 apps tested, even the highest ranked and most-downloaded apps can carry nasty surprises.

 

“While 37% of the analyzed VPN apps have more than 500K installs and 25% of them receive at least a 4-star rating, over 38% of them contain some malware presence according to VirusTotal,” the researchers write.

 

The five types of malware detected can be broken down as follows: Adware (43%), Trojan (29%), Malvertising (17%), Riskware (6%) and Spyware (5%). The researchers ordered the most problematic apps by VirusTotal AV-Rank, which represents the number of anti-virus tools that identified any malware activity.

 

The worst offenders, according to the report

 

The researchers found that only a marginal number of VPN users raised any security or privacy concerns in the review sections for each app, despite many of them having serious problems. The high number of downloads seem to suggest that users have confidence in them, despite their issues.

 

“According to the number of installs of these apps, millions of users appear to trust VPN apps despite their potential maliciousness. In fact, the high presence of malware activity in VPN apps that our analysis has revealed is worrisome given the ability that these apps already have to inspect and analyze all user’s traffic with the VPN permission,” the paper reads.

 

The growing awareness of VPNs and their association with privacy and security has been a hot topic in recent years, but the researchers found that many of the apps available on Google Play offer neither. Instead, they featured tracking of users by third parties while demanding access to sensitive Android permissions.

 

“Even though 67% of the identified VPN Android apps offer services to enhance online privacy and security, 75% of them use third-party tracking libraries and 82% request permissions to access sensitive resources including user accounts and text messages,” the researchers note.

 

Even from this low point, things manage to get worse. Many VPN users associate the product they’re using with encryption and the privacy it brings, but for almost one-fifth of apps tested by the researchers, the concept is alien.

 

“18% of the VPN apps implement tunneling protocols without encryption despite promising online anonymity and security to their users,” they write, adding that 16% of tested apps routed traffic through other users of the same app rather than utilizing dedicated online servers.

 

“This forwarding model raises a number of trust, security, and privacy concerns for participating users,” the researchers add, noting that only Hola admits to the practice on its website.

 

And when it comes to the handling of IPv6 traffic, the majority of the apps featured in the study fell short in a dramatic way. Around 84% of the VPN apps tested had IPv6 leaks while 66% had DNS leaks, something the researchers put down to misconfigurations or developer-induced errors.

 

“Both the lack of strong encryption and traffic leakages can ease online tracking activities performed by inpath middleboxes (e.g., commercial WiFi [Access Points] harvesting user’s data) and by surveillance agencies,” they warn.

 

While the study (pdf) is detailed, it does not attempt to rank any of the applications tested, other than showing a table of some of the worst offenders. From the perspective of the consumer looking to install a good VPN app, that’s possibly not as helpful as they might like.

 

Instead, those looking for a VPN will have to carry out their own research online before taking the plunge. Sticking with well-known companies that are transparent about their practices is a great start. And, if an app requests access to sensitive data during the install process for no good reason, get rid of it. Finally, if it’s a free app with a free service included, it’s a fair assumption that strings may be attached.

 

Source

[Batu69]

Topic move from mobile news forum & merged.

[Atasas]

Since ISP's have been made liable and responsible to be spying on their paying clients, VPN's as flawed as they where is not an viable way to secure your data traffic...But very little of way as how to remain anonymous there is as alternative.