CSIRO: Most Android VPNs Aren’t Secure

CSIRO: Most Android VPNs Aren’t Secure

A study by researchers from Data61/CSIRO, UC Berkeley, UNSW Sydney and UCSI finds that several popular VPN services on Android open up a variety of security holes, including injecting JavaScript for ads and tracking services and traffic redirection to commerce sites.

VPNs are useful for encrypting your web traffic or getting around regional restrictions. Most of these VPN services require a subscription, but many also offer free options. Researchers tested 283 different apps and found that many of those apps inject adware, trojans, malvertising or spyware. What they found was not great:

  • Eighteen per cent do not encrypt traffic
  • Eighty four per cent leak user data
  • Thirty eight per cent reveal malware or malvertising
  • Eighty per cent request access to sensitive data like user accounts or text messages

Unfortunately, the paper doesn’t go through a full ranking of all 283 apps it tested, nor does it rank the best or most secure services. It does at least go through the worst, which are shown in the table above, using a VirusTotal ranking system. This includes one we’ve mentioned before, Betternet.

The biggest problem here is that in most cases, the researchers found that other than Hola, the VPN providers did not usually admit to the practice of injecting its own ads or forwarding traffic. When researchers reached out to the developers, many didn’t respond, while others simply confirmed that their free version injected code to show their own ads. Thankfully, some of the worst offenders, including the top three, have all been removed from Google Play.

It’s no secret that VPNs are shady and finding a good one requires actual effort, but this is a nice reminder that you should always do some research before using any type of security software. For what it’s worth, we’ve found Private Internet Access, SlickVPN, NordVPN, Hideman and Tunnelbear have all been reliable and transparent over the years. There’s also no reason to assume this is restricted to Android. iOS and desktop VPN apps likely have similar problems.

An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps (PDF) [via TorrentFreak]

The Cheapest NBN 50 Plans

Here are the cheapest plans available for Australia’s most popular NBN speed tier.

At Lifehacker, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.


3 responses to “CSIRO: Most Android VPNs Aren’t Secure”