Testing VPN clients checked three possible modes of interception and traffic redirection through the VPN client: local interception (1); redirect to the cloud through the VPN server (2); peering forwarding through the node participating in the system (3). Traffic sniffing and analysis was performed with the ICSI Netalyzr sniffer via a configured WiFi access pointWith the release of Android 4.0 in October 2011, mobile application developers received native support for embedded VPN clients through the
Android VPN Service
class. Unlike desktop operating systems, where the application needs root access to create virtual interfaces, for Android, all you need to do is to request
BIND_VPN_SERVICE
permission to create a VPN client.
Official Android OS documentation warns of
serious security issues when using this class . Having received such permission, the application receives the right to intercept and fully control the traffic from the device.
Why might the program need VPN permission? Some applications use this feature to bypass government censorship and protect against intruders, to ensure anonymity - here VPN is quite appropriate. However, many more malicious applications ask for permission to tunnel traffic for one reason only: to collect sensitive data. Unfortunately, some users do not have enough technical knowledge to understand the authority and all the dangers of an Android application that has gained access to the
VpnService
class - this is despite all the warnings that the OS gives.
')
A team of security experts from the University of California at Berkeley (USA), the University of New South Wales (Australia), and the Australian State Association for Scientific and Applied Research (CSIRO)
conducted a study on how common is the problem of leakage of confidential data through Android applications that have accessed
BIND_VPN_SERVICE
. They studied 283 applications from the Google Play catalog - these are VPN clients (67%), corporate programs with VPN (10%), traffic optimizers (4%), messengers with VPN (3%), traffic filters (2%), loggers traffic (2%), antivirus (1%), Tor clients (1%) and others (10%).
To evaluate the programs, a test suite was developed that combines static code analysis and specially developed active network test methods. Apparently, this is the first large-scale analysis of VPN clients for Android for information leakage.
Static analysis included the analysis of permissions that request applications, tracking libraries for tracking (using ApkTool), accounting for viruses and malicious components (using the open VirusTotal API).
For example, the table shows the results of antivirus scanning of popular VPN clients with more than 500 thousand installations. As you can see, for half of them, the antivirus check gave a positive result (column “AV-check” in the table), and the other half of the VPN clients
managed successfully cheat antivirus is clean.
application | Class | Rating | Reviews | Installations | AV check |
---|
EasyOvpn | Free | 4.2 | 84,400 | 5 million | + |
VPN Free | Pay | 4.0 | 15 788 | 1 million | + |
Tigervpns | Free | 4.1 | 36,617 | 1 million | + |
DNSet | Pay | 4.0 | 21,699 | 500 thousand | - |
CM Data Manager | Pay | 4.3 | 11 005 | 1 million | - |
Rocket vpn | Free | 4.2 | 11,625 | 500 thousand | + |
Globus VPN | Free | 4.3 | 14 273 | 500 thousand | - |
Spotflux VPN | Free | 4.0 | 14,095 | 500 thousand | - |
Cyberghost | Free | 4.0 | 13,689 | 500 thousand | + |
If we consider not only popular, but also less popular clients, then most of all antiviruses found malicious code in the following programs: OkVpn (24 antiviruses with a positive result), EasyVpn (22), SuperVPN (13), Betternet (13), CrossVpn (11 ), Archie VPN (10), HatVPN (10), sFly Network Booster (10), One Click VPN (6), Fast Secure Payment (5).
Static analysis of functionality and active traffic analysis revealed several alarming facts. It turned out that 18% of VPN clients do not encrypt user traffic at all. 38% of customers inject malicious software or malicious advertising into traffic for the specific purpose of accessing user information. Ironically, people install such programs in order to protect their information from unauthorized access, protect their anonymity and maintain confidentiality - and in practice they get the opposite. These malicious VPN clients are installed on computers of tens of millions of users.
The researchers found that 80% of applications request access to various confidential information, including user accounts and text messages. Two-thirds of VPN clients are equipped with third-party tracking libraries. This is significantly more than in conventional applications.
Distribution of third-party tracking libraries in free and paid VPN clients, as well as in all applications from the Google Play catalog (for comparison)Although the majority of these applications do allow anonymous work on the Internet (in a sense), in reality they collect a large amount of personal data about users, which can then be sold to third parties.
According to Google Play review analysis, only 1% of users expressed some concern about privacy or security regarding VPN clients on their Android smartphone.
Prior to the publication of the
report (pdf), it was sent to VPN client developers and other security professionals. As a result, some developers have fixed security vulnerabilities in their programs, while others have removed them from the Google Play directory. “Always pay attention to the permissions of the applications you are downloading,”
said Professor Dali Kaafar, CSIRO's principal online privacy and security researcher. “The study showed that users of VPN clients should study how serious the problems with these applications are and how great are the risks to which they expose themselves when using such services.”