The Commonwealth Scientific and Industrial Research Organisation (CSIRO) has warned users of virtual private networks (VPN) that they may not be as secure as the name suggests.
The CSIRO recently looked at 283 Android VPN apps, investigating a wide range of security and privacy features to compile its report , An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps.
The research organisation found that 18 percent of the apps probed fail to encrypt users’ traffic, with 38 percent injecting malware or malvertising straight into the user’s device, and over 80 percent requesting access to sensitive data such as user accounts and text messages.
“The very reason users install these apps to protect their data is the very function they are not performing and these apps have been installed by tens of millions of users” the report says.
While most of the examined apps offer “some form of” online anonymity, the CSIRO said that some app developers deliberately sought to collect personal user information that could then be sold on to external partners.
Less than 1 percent of users, however, had any security or privacy concerns about these apps.
18 percent of VPN apps were found to implement tunneling technologies without encryption, while 84 percent and 66 percent of apps were leaking IPv6 and DNS traffic, respectively. As a result, these apps do not protect user traffic against in-path agents performing online surveillance or user tracking, the report explained.
Before publishing its report, the CSIRO reached out to developers whose apps displayed security shortcomings, noting that several took action to fix vulnerabilities, with some apps removed from the Google Play Store as a result.
Despite the fact that Android VPN-enabled apps are being installed by millions of mobile users worldwide, their operational transparency and their possible impact on user’s privacy and security remains ‘terra incognita’ even for tech-savvy users.