Business

Android VPN apps failing to offer the security functions they advertise, study finds

When you use a virtual private network (VPN), it prevents your internet service provider from knowing what content or sites you are accessing. In theory.

But a recent analysis of 283 Android VPN-based apps on the Google Play store found more than 80 per cent of apps leak user data, while almost 20 per cent do not encrypt any user data.

Up Next

MKR: Highest ever score

null
Video duration
02:43

More Entertainment News Videos

Animation: How VPNs work

Watch this breakdown of how Virtual Private Networks are helping Australians get access to geo-blocked content such as US Netflix.

The research, conducted by a team of researchers from the CSIRO, the University of NSW and the University of California, Berkeley, revealed that in some cases free VPN apps allowed malware or "malvertising" as "a deliberate way to monetise the app," by accessing personal information that could be sold to external partners.

After the team's findings were released, a number of apps were removed from the Google Play store.

"We were not really expecting the magnitude of issues that we found," said Dali Kaafar, a researcher from CSIRO's Data61 unit.

"[It is] spooky behaviour...and surprising that almost one in five apps was not encrypting traffic at all…it was not a VPN tunnel at all, it was a fake tunnel sending all the traffic out."

Advertisement

VPN apps run in the background of other programs and apps.

They are commonly used to circumvent geo-blocked websites, such as overseas Netflix libraries, or region-restricted sites streaming sporting events.

More generally they are used to maintain privacy and security, for instance by professional employees attempting to access emails or an office network from home.

A 2015 poll of more than 1000 people by Essential Research found that 16 per cent had used a VPN or the anonymising Tor network to protect their privacy online.

"Ideally, when these apps run smoothly, they would offer you end-to-end encryption of the traffic from your device to whatever server has been set as the VPN. Think of it as a tunnel hiding all your traffic from any external observation, " Dr Kaafar said.

"But 18 to 20 per cent of these apps are not encrypting traffic at all, they are not offering anything, [only] a false sense of security."

Dr Kaafar also said it was concerning to see how many apps requested permissions for programs they did not need or use, such as SMS messages, call logs, contacts, history and bookmarks, accounts and location.

The research paper ranked 10 apps according to their maliciousness:

  1. OKVpn
  2. EasyVpn
  3. SuperVpn
  4. Betternet
  5. CrossVpn
  6. Archie VPN
  7. HatVPN
  8. sFly Network Booster
  9. One Click VPN
  10. Fast Secure Payment

Dr Kaafar said around 80 per cent of the apps assessed had some form of leak, meaning that any external observer could see what website a user was accessing, despite encryption.

"Another very alarming find was the presence of malware in some of these apps. Thirty-eight per cent showed some form of malware or malvertising...which is a very serious issue," he said.

"Some of these apps have been installed by more than 50 million people...cumulatively we are talking hundreds of millions of people [who use these apps]."

All the apps that presented concerning results were contacted by the research team in the period between May and June last year. It is understood some of the apps have made changes to update and remove malware and other issues.

"We contacted all the app developers and shared with them all the findings and we had a variety of reactions and feedback," Dr Kaafar said.

"Most developers acknowledged the problems and took actions to fix them...but unfortunately several others acknowledged they were [allowing] these actions to monetise the apps."

As part of the study, the team also analysed user reviews and ratings for VPN apps, finding that less than one per cent of negative app reviews actually rated privacy and security.

A Google spokesperson said it took security "extremely seriously" and vetted all apps to ensure they were compliant with Play policies.