A newly published study has found that the majority of Android VPN apps do not protect the security and privacy of their users in any meaningful way.
The study, titled “An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps,” was completed by a team of researchers from Australia’s Commonwealth Scientific and Industrial Research Organization, the University of South Wales and the University of California at Berkeley. To compile its report, the group examined the source code and networking behaviour of 283 VPNs available to download from the Google Play store.
Some of the study’s more damning findings include the revelation that 18 percent of surveyed apps do not feature end-to-end encryption, meaning they leave their users open to man-in-the-middle hacking attempts.
The study also found that 66 percent of Android VPN apps leak domain name system data, which gives third parties the opportunity to monitor and manipulate traffic coming from behind those apps.
Another 38 percent of VPN apps included code that was considered malicious by VirusTotal, a Google-owned tool that aggregates anti-virus definitions from more than 100 other antivirus apps.
Perhaps most disheartening is the fact that of 67 percent of apps that list enhanced privacy as one of their selling points, 75 percent of them use third-party tracking to monitor a user’s online usage.
“Our results show that — in spite of the promises for privacy, security, and anonymity given by the majority of VPN apps — millions of users may be unawarely subject to poor security guarantees and abusive practices inflicted by VPN apps,” say the report’s authors. “Despite the fact that Android VPN-enabled apps are being installed by millions of mobile users worldwide, their operational transparency and their possible impact on user’s privacy and security remains terra incognita even for tech-savvy users.”
If you’re reading this looking for a recommendation, the study’s authors highlighted a single app they thought was worth downloading: F-Secure Freedome VPN.
[source]CSIRO (PDF)[/source][via]Ars Technica[/via]