back to article Android VPNs to get audit badges in Google Play Store if they aren't comically crap

Google wants to help Android users find more trustworthy VPN apps through better badging alerting to independent audits. The ad impresario and cloud concession has afforded independently audited applications in its Play store a more prominent display of their security bonafides, specifically a banner atop their Google Play …

  1. Flip
    Stop

    Warning!

    Why not take the additional step to mark VPN apps that don't meet MASA criteria with a big red warning banner that warns users that the app is potentially unsafe?

    1. IGotOut Silver badge

      Re: Warning!

      Or, crazy I know, just not let them in the store at all?

      1. Anonymous Coward
        Anonymous Coward

        Re: Warning!

        No, no, that was Apple's idea..

        :)

    2. BartyFartsLast

      Re: Warning!

      Because that sort of testing costs money.

      1. Inventor of the Marmite Laser Silver badge

        Re: Warning!

        Isn't that kind of testing something an AI could do?

  2. herberts ghost

    A Google security rating -- REALLY?

    I note that as of this writing, they don't seem to certify NORTON or DuckDuckGo VPNs.

    It may also certify that it does not interfere with googles tracking.

    This may be like the NSA certifying an encryption scheme. (Yes we can break in, but it us too hard for amatures.)

    Google "do evil!"?

    1. Lord Elpuss Silver badge

      Re: A Google security rating -- REALLY?

      *amateurs

  3. elsergiovolador Silver badge

    Hokey Cokey

    There is no "safe" VPN, unless you run it yourself and then that's subject to a lot of ifs.

    1. Altrux

      Re: Hokey Cokey

      Yep, a cheap hosted VPS cloud server running WireGuard should do the job for most people. Well, most geek people, obviously not 'normal' people!

  4. TheMaskedMan Silver badge

    "There is no "safe" VPN, unless you run it yourself and then that's subject to a lot of ifs."

    This. It's tough to know who to trust when it comes to VPNs. I suppose knowing who not to trust helps to narrow it down a bit.

    I see a lot of VPN sponsored YouTube videos, all claiming to be the only thing you'll ever need, but that alone makes me wary of them. One more thing to add to my research list... :/

    1. MachDiamond Silver badge

      "This. It's tough to know who to trust when it comes to VPNs."

      Torrent Freak does a survey of VPN providers and posts the responses they get back from their questionnaire. yeah, it's no guarantee, but it does tell you something about the services they provide. The one thing they ask is if the company uses Google Analytics. That, for me, would be an automatic disqualification.

    2. Anonymous Coward
      Anonymous Coward

      This. It's tough to know who to trust when it comes to VPNs.

      Mullvad. IVPN. Proton*. That's pretty much it.

      If it requires any PIA to register/pay, it's out.

      If it does any sort of advertising or sponsorship that's also a hard pass.

      Basically, run you own (wireguard + pihole are easy enough to set up) or use one of the above and pay with crypto.

      *Proton is trustworthy/secure but requires PIA and has been known to comply with law enforcement. Caveat emptor.

      1. Anonymous Coward
        Anonymous Coward

        Re: This. It's tough to know who to trust when it comes to VPNs.

        *PII, as in Personally Identifiable Information, not PIA as in Pain In the Ass.

  5. Bebu Silver badge
    Windows

    There is no "safe" VPN

    Probably the same applies to any software. Unless you can, and have the ability to, audit the source code and build the application in a known secure environment you are pretty left to assign some level trust to any particular application.

    Even if you were happy with the source and the build environment there are no guarantees and you haven't yet considered the run time environment. Also with VPN software there is trustworthyness of the peer network to consider and that of any intermediate systems.

    About the best I might be able to achieve is when I have UDP connectivity between two systems I control and run wireguard between those two. Pretty much anything else for me is a compromise. These days I don't think I would bother with anything other than wireguard based services - I quite liked OpenVPN but it is a very much larger chunk of code.

    As I understand both the Tailscale and Cloudflare VPN offerings are Wireguard based and from my limited experience appear to work reliably (Cloudflare doesn't do ping (icmp echo request/reply) which is initially a bit confusing.)

    1. Paul Crawford Silver badge

      Re: There is no "safe" VPN

      It comes down to who and what you are defending against. I often use a VPN just to make it that bit harder for advertisers and busybodies in local authority (not necessarily TLAs) to follow me, and also to have a relatively fixed IP address when travelling so I don't get pestered with 2FA and other annoyances to prove who I am every time.

    2. Snowy Silver badge
      Coat

      Re: There is no "safe" VPN

      Yes no matter how good the software is you have to remember your running your connection through someone else's system and you have to trust them.

  6. Anonymous Coward
    Anonymous Coward

    Hmmm, seems there is some confusion here.

    When Google and most people say "VPN" they really mean a bundled service that provides access to <whatever> that needs it's own "app" to work.

    Which isn't what I -= and I would sincerely hope a majority of Regtards would mean by it.

    If I say "VPN" I mean exactly that - a Virtual Private Network over the internet. Where it's the nature of it's creating a tunnel that is key. Where to is slightly different.

    Case in hand is we run OpenVPN into our office for remote workers.

    1. david 12 Silver badge

      Re: Hmmm, seems there is some confusion here.

      Often by providing a "proxy", potentially with nothing "private" about the proxy connection other than network address translation.

  7. Anonymous Coward
    Anonymous Coward

    If you’re relying on cheap security

    You’re only sure to be saving money.

    1. Lord Elpuss Silver badge

      Re: If you’re relying on cheap security

      "You’re only sure to be saving money spending more in the long run to repair the damage."

      FTFY.

  8. Kevin McMurtrie Silver badge

    How about the classic switch?

    I presume Play Store will automatically update an audited app even if the new version is malware.

    1. Aleph0

      Re: How about the classic switch?

      Yes, and if you dare to turn off automatic updates in order to check whether an update is really a downgrade ("we're putting ads into the paid version of our app", my ass) the Play Store will pester you to no end, with a banner that takes up half of a phone's screen...

  9. Kevin McMurtrie Silver badge

    Google? Safety?

    All these scam VPN client apps exist because the built-in Android VPN client sucks. What is it even compatible with? I once spent a two days trying different servers and never had a stable connection. Not even Google uses it for their VPN product.

    I've been using Wireguard on Android and liking it. Not usually for privacy, but for creating a stable virtual network when I'm at a place that is running NAT independently on each one of their WiFi access points.

    1. Altrux

      Re: Google? Safety?

      WireGuard's magic endpoint roaming is really its best killer feature. We use it extensively now, mainly because of that, and the general ease of configuration compared to the horrors of IPsec. But the ecosystem of tools around it is still very immature, which is a shame. We are building our own 'dashboard' to view and manage connected clients across multiple VPNs, but it's not production ready yet...

  10. Anonymous Coward
    Anonymous Coward

    PTPP L2TP

    Is this linked to Google pulling support for the above 2 from the native VPN client in Android 12 and onwards?

  11. Anonymous Coward
    Anonymous Coward

    Google wants to help Android users find more trustworthy VPN apps

    when the opening is 'Google wants to help...' I presume it's sarcasm?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like