CSIRO: Most Mobile VPNs Aren't Secure

This Month In Dashcams: The 'We F**ked Up' Bumper Catch-Up Edition

Doomsday Clock Moves 30 Seconds Closer To Midnight, We're All Going To Die

Science Has Created Actual Human/Pig Hybrids

CSIRO: Most Mobile VPNs Aren't Secure

Image: iStock

If you're using a VPN app to secure your smartphone — maybe to download torrents, maybe to make your online banking a little more safe — then chances are, it's not doing what it pretends to. A paper co-authored by CSIRO's data science arm examined nearly 300 Android VPN apps and found that almost all of them leak some kind of user traffic data.

Research scientists Dali Kaafar, Suranga Seneviratne and Muhammad Ikram from Data61 contributed to the report alongside Narseo Vallina-Rodriguez from ICSI and Vern Paxson from UC Berkeley. The report, which examined 283 apps from the Google Play Store that use Android's integrated virtual private network permission, found some pretty stark results: 18 per cent of apps don't encrypt any of the traffic that travels through them, and a full 84 per cent didn't disguise DNS traffic or support IPv6 tunnelling — more secure than the widely used IPv4.

38 per cent of all Android VPN apps surveyed by the CSIRO team were found to contain some kind of malware that infected users' phones, over 80 per cent ask permission to access users' text messages or Google account data, and 16 per cent injected ads or headers — including Javascript ads and redirects to advertising-supported online shopping — into VPN users' seemingly secure sessions.

What's almost worse is the fact that barely 1 per cent of VPN reviews — "a marginal number", according to the report — on the Google Play Store mention any kind of security or privacy concerns, suggesting people using the apps just don't know how insecure their communications actually are.

CSIRO actually has its own app, PrivMetrics, that ranks apps on your Android phone in terms of their privacy risk level and the permissions that they ask for. It'll also suggest more secure alternatives to your installed apps if available.

The takeaway from this is that you should always be sceptical of claims made by apps, especially those purporting to be entirely secure. While you should be sceptical even of this recommendation, we've used Private Internet Access in the past and found it — on the surface at least — to be reliable and reputable. CSIRO's Kaafar: "Always pay attention to the permissions requested by apps that you download. This study shows that VPN app users, in particular, should take the time to learn about how serious the issues with these apps are and the significant risks they are taking using these services."

In other news, the Australian National University also just announced that renowned technologist, former vice president at Intel and the company's first female Senior Fellow, Dr Genevieve Bell, has joined ANU in Canberra and will be collaborating with Data61 and CSIRO in the future. [CSIRO]

Comments

  • C.thomas Guest

    Users should need to keep in check what type of permissions apps require to work. Most of the good VPN apps just require to be connected to certain permission. That is the case with good brands like PureVPN which I ma using right now and quite satisfied with it.

    0
  • usebuy @usebuy

    Its all an illusion this internet was weponized from inception. privacy is a fairy tale

    0
  • registradus @registradus

    so are they going to tell us which ones are the good ones? or not

    0
    • djbear @djbear

      Having read the actual report. Pretty much none of them. You are better off using inbuilt tools. Most modern day smartphones allow you to conect to a VPN network through the network settings.

      0
  • nexusq @nexusq

    Oh suuuure, that's exactly what the government wants you to think!

    0
  • FactCheck Guest

    Title should be 'CSIRO: Most Android VPNs aren't secure'.
    Most iOS VPNs may also be insecure but this was not tested.

    0
  • beatsbynelly @beatsbynelly

    stock photo's are great.

    Fake phone? check
    Fake tablet? check
    Matte image of a server room? check

    I wouldn't be surprised at this point if the model was fake too.

    0
  • flirkann @flirkann

    What?! You only get what you pay for?!
    Well, colour me surprised...

    0
  • jammin @jammin

    I use PIA but use the OpenVPN app instead of their client.

    Being open source at least I know its free of malware.

    0

Join the discussion!

Log in
Sign Up
Guest Access

Trending Stories Right Now

dont-do-it tech-support technology things-not-to-tell-it

7 Lies You Shouldn't Tell The People Fixing Your Computer

Long I wrote for Giz, when I was but a teeny uni student with a dream, I did tech support. And I saw things. I wasn't the only one. The people who work tech have heard every excuse and seen every horror your mind can conjure.
android au feature google google-play google-play-store vpns

CSIRO: Most Mobile VPNs Aren't Secure

If you're using a VPN app to secure your smartphone -- maybe to download torrents, maybe to make your online banking a little more safe -- then chances are, it's not doing what it pretends to. A paper co-authored by CSIRO's data science arm examined nearly 300 Android VPN apps and found that almost all of them leak some kind of user traffic data.

Subscribe to the #staticpodcast

Trending Articles