VPN on Android means 'Voyeuristic Peeper Network' in many cases A worrying number of VPN apps for Android mobile devices are rife with malware, spying, and code injection, say researchers. A study [PDF] from CSIRO Data61 in Australia, the University of New South Wales in Australia and the University of California at Berkeley found that Android apps advertising themselves as VPN clients …
"82 per cent of the VPN apps requested permission to access sensitive data on the device, such as SMS history."
So, 18 per cent less than other Android apps? I know 82% should seem horrible, but it doesn't.
This is from that .pdf, which might be of interest to some...
"Two of the analyzed VPN apps actively block ads and analytics traffic by default on our tested websites: Secure Wireless and F-Secure Free-dome VPN. The apps did not explicitly mention ad-blocking feature in the Google Play store listings. An analysis of the decompiled source code, using ApkTool, revealed that F-Secure Freedome VPN app blocks any traffic coming from a pre-defined list of domains associated with web and mobile tracking including Google Ads, DoubleClick, and other popular tagging/analytics services such as Google Tag and comScore."
"82 per cent of the VPN apps requested permission to access sensitive data on the device, such as SMS history."
Really ? I dont think my vpn provider purevpn is accessing my sensitive data. They have mentioned in their official policy page that they dont keep logs of user's data.
This post has been deleted by its author
Your guarantee that the permissions listed are the permissions requested. I remember when these same security "experts" criticised androids fine grained security model, all the time, whilst some just let you read your phone contacts and upload them in the background...
http://www.digitaltrends.com/apple/all-your-contacts-are-belong-to-us-what-apps-are-uploading-your-address-book-and-why/
Of course they're harvesting your data. You have to find a service that you pay for first and foremost, anyone thinking a free VPN service is a good option deserves what they get.
Why does Google even allow apps that want to grub around in your SMS messages (for example) when they have no reason to? They ought to categorize apps, and apps in the "VPN" category should be limited in what permissions they ask for. No reason they should access SMS, phone, pictures, etc. for instance. Obviously they aren't able to police things very well now based on these study results.
Exactly - I don't often read privacy policies (since I assume most of the time my personal data's going to be sold to the highest bidder irrespective of the service) but with VPNs it's worth reading the fine print - Tunnello (a free VPN) has got terrific feedback from users but they log your activities on their service - all you're really getting is 'free' IP spoofing. Caveat emptor.
What we would really need is the ability for a third option for each app beyond "allow" or "deny". The third option would be "provide dummy values". Sure, nosy app, you can look at my SMS history, phone status, and emails - only, you'll find I have never received or sent an SMS, my address book is empty, my phone is never used and never rings, and I have no email accounts. I don't think you'll stop working because of this.
What kind of idiot would use a FREE VPN? They have to pay for development some how...
The most friendly of the free apps would block and substitute their own ads in the traffic. It could only get worse from there...
I wonder how many of these Free apps are funded by security agencies. If you look at the terms of service, I bet any of a reasonable length are... they probably call themselves "publicly funded".
Funny.
I wonder how many of these Free apps are funded by security agencies
Never attribute to malice that which can be adequately explained by stupidity.
Really the TLA have little to worry about if this paper's review of VPN apps it anything to go by: the vast majority fail on the most fundamental security issues (e.g. encryption, DNS & IPv6 leaks) so provide little problem for them, but possibly do enough to get past content-blocking which is probably a main motive for most folk.
>Never attribute to malice or stupidity that which can be adequately explained by greed.
FTFY
Isn't monkeying around with your data the whole point of the retail IT industry?
Hello mobile, meet my barge pole. No, you can't touch it.
The false data idea is my favorite, especially if we can link it to the FBI's most wanted list.
While it's not anonymous as such, I run my own VPN using a VPS so I can tunnel to it from anywhere. It's enough to make life difficult for anyone wanting to eavesdrop when I use public wifi because I have control over the encryption on the wifi part. It was also of limited use in China, not being a recognised endpoint.
When taking into account the reasons for using a VPN I really don't understand the logic behind using free VPN components when it seems so blatantly obvious that it will have been compromised by design in some element of its service. Moreso when you can buy a perfectly good secure service that integrates with the OpenVPN client for absolute peanuts.
I pay 30 euros every six months for mine which if my maths is correct is approximately £4 per month at current exchange rates.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
