Sign in / up

back to article VPN on Android means 'Voyeuristic Peeper Network' in many cases

A worrying number of VPN apps for Android mobile devices are rife with malware, spying, and code injection, say researchers. A study [PDF] from CSIRO Data61 in Australia, the University of New South Wales in Australia and the University of California at Berkeley found that Android apps advertising themselves as VPN clients …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Another log on the fire.

    "82 per cent of the VPN apps requested permission to access sensitive data on the device, such as SMS history."

    So, 18 per cent less than other Android apps? I know 82% should seem horrible, but it doesn't.

    This is from that .pdf, which might be of interest to some...

    "Two of the analyzed VPN apps actively block ads and analytics traffic by default on our tested websites: Secure Wireless and F-Secure Free-dome VPN. The apps did not explicitly mention ad-blocking feature in the Google Play store listings. An analysis of the decompiled source code, using ApkTool, revealed that F-Secure Freedome VPN app blocks any traffic coming from a pre-defined list of domains associated with web and mobile tracking including Google Ads, DoubleClick, and other popular tagging/analytics services such as Google Tag and comScore."

    11 0 Reply
    1. paulnick2
      Reply Icon

      Re: Another log on the fire.

      "82 per cent of the VPN apps requested permission to access sensitive data on the device, such as SMS history."

      Really ? I dont think my vpn provider purevpn is accessing my sensitive data. They have mentioned in their official policy page that they dont keep logs of user's data.

      1 2 Reply
      1. James 51
        Reply Icon

        Re: Another log on the fire.

        That's a paid for service. I just checked and it works with no permisilsions enabled.

        2 0 Reply
      2. Montreal Sean
        Reply Icon

        Re: Another log on the fire.

        My paid for provider doesn't collect data either, and when it comes to running on my Android it provides a config file for OpenVPN.

        0 0 Reply

  2. This post has been deleted by its author

  3. John Smith 19 Gold badge
    Unhappy

    The Google App store. Youre guarantee of

    what exactly, beyond Goggle having their cut of the money?

    11 1 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: The Google App store. Youre guarantee of

      Your guarantee that the permissions listed are the permissions requested. I remember when these same security "experts" criticised androids fine grained security model, all the time, whilst some just let you read your phone contacts and upload them in the background...

      http://www.digitaltrends.com/apple/all-your-contacts-are-belong-to-us-what-apps-are-uploading-your-address-book-and-why/

      0 0 Reply
  4. Mage Silver badge
    Big Brother

    Reviews?

    How many people clued up on what an App is really doing write reviews?

    You almost need a spare phone with diagnostic tools to test Playstore Apps?

    2 0 Reply
  5. Anonymous Coward
    Anonymous Coward

    How do you think those "free" VPN services pay for it?

    Of course they're harvesting your data. You have to find a service that you pay for first and foremost, anyone thinking a free VPN service is a good option deserves what they get.

    Why does Google even allow apps that want to grub around in your SMS messages (for example) when they have no reason to? They ought to categorize apps, and apps in the "VPN" category should be limited in what permissions they ask for. No reason they should access SMS, phone, pictures, etc. for instance. Obviously they aren't able to police things very well now based on these study results.

    6 0 Reply
    1. AegisPrime
      Reply Icon
      Black Helicopters

      Re: How do you think those "free" VPN services pay for it?

      Exactly - I don't often read privacy policies (since I assume most of the time my personal data's going to be sold to the highest bidder irrespective of the service) but with VPNs it's worth reading the fine print - Tunnello (a free VPN) has got terrific feedback from users but they log your activities on their service - all you're really getting is 'free' IP spoofing. Caveat emptor.

      1 0 Reply
    2. Filippo Silver badge
      Reply Icon

      Re: How do you think those "free" VPN services pay for it?

      What we would really need is the ability for a third option for each app beyond "allow" or "deny". The third option would be "provide dummy values". Sure, nosy app, you can look at my SMS history, phone status, and emails - only, you'll find I have never received or sent an SMS, my address book is empty, my phone is never used and never rings, and I have no email accounts. I don't think you'll stop working because of this.

      1 0 Reply
      1. Paul Crawford Silver badge
        Reply Icon
        Trollface

        Re: How do you think those "free" VPN services pay for it?

        Better still, fill your dummy address book, etc, with entries to the NSA, FSB, etc, and see how they get on trying to sell/use that information for advertisment :)

        2 0 Reply
    3. AndyD 8-)₹
      Reply Icon

      Re: How do you think those "free" VPN services pay for it?

      <quote>Of course they're harvesting your data</quote>

      ... whereas Google themselves .........

      1 0 Reply
  6. Your alien overlord - fear me
    Childcatcher

    Just goes to show - trust no one, they are just trying to ensnare you. Especially on the Play Store.

    4 0 Reply
  7. Anonymous Coward
    Anonymous Coward

    Free?

    What kind of idiot would use a FREE VPN? They have to pay for development some how...

    The most friendly of the free apps would block and substitute their own ads in the traffic. It could only get worse from there...

    I wonder how many of these Free apps are funded by security agencies. If you look at the terms of service, I bet any of a reasonable length are... they probably call themselves "publicly funded".

    Funny.

    4 0 Reply
    1. Paul Crawford Silver badge
      Reply Icon

      Re: Free?

      I wonder how many of these Free apps are funded by security agencies

      Never attribute to malice that which can be adequately explained by stupidity.

      Really the TLA have little to worry about if this paper's review of VPN apps it anything to go by: the vast majority fail on the most fundamental security issues (e.g. encryption, DNS & IPv6 leaks) so provide little problem for them, but possibly do enough to get past content-blocking which is probably a main motive for most folk.

      1 0 Reply
      1. P. Lee
        Reply Icon

        Re: Free?

        >Never attribute to malice or stupidity that which can be adequately explained by greed.

        FTFY

        Isn't monkeying around with your data the whole point of the retail IT industry?

        Hello mobile, meet my barge pole. No, you can't touch it.

        The false data idea is my favorite, especially if we can link it to the FBI's most wanted list.

        3 0 Reply
        1. Charles 9
          Reply Icon

          Re: Free?

          Except they'll probably just whip up ways to tell the fake data from the real stuff and go, "Naughty naughty, no lying to me!"

          0 0 Reply
  8. Number6

    While it's not anonymous as such, I run my own VPN using a VPS so I can tunnel to it from anywhere. It's enough to make life difficult for anyone wanting to eavesdrop when I use public wifi because I have control over the encryption on the wifi part. It was also of limited use in China, not being a recognised endpoint.

    0 0 Reply
  9. Aristotles slow and dimwitted horse

    I don't understand...

    When taking into account the reasons for using a VPN I really don't understand the logic behind using free VPN components when it seems so blatantly obvious that it will have been compromised by design in some element of its service. Moreso when you can buy a perfectly good secure service that integrates with the OpenVPN client for absolute peanuts.

    I pay 30 euros every six months for mine which if my maths is correct is approximately £4 per month at current exchange rates.

    0 1 Reply
    1. Charles 9
      Reply Icon

      Re: I don't understand...

      $60/yr is the rate for my VPN plan. I like it because it's a fixed IP, allows port forwarding, and they even throw in SOCKS5 and other proxies gratis.

      0 0 Reply
  10. Anonymous Coward
    Anonymous Coward

    Simple.

    $5 Digital Ocean Instance in country of your choice.

    SSH Tunnel from phone using one of the many many apps.

    IPTables config to block known ad flingers.

    Done.

    You don't need a VPN at all.

    0 0 Reply
    1. Charles 9
      Reply Icon

      Re: Simple.

      IPtables requires root, and since root can break apps, that's not an option for some of us. In which case the VPN route is the only one available.

      0 0 Reply
    2. Number6
      Reply Icon

      Re: Simple.

      $5 Digital Ocean Instance in country of your choice.

      If you've got a VPS then you can run an OpenVPN server on it and avoid the SSH tunnel. If you arrange to send everything from the phone over the tunnel then no need to mess with iptables either.

      0 0 Reply
  11. Graham Marsden
    Alert

    "Google should [...]

    "set stricter limits on what apps are able to do in Android."

    FTFY

    Too many apps demand ridiculous levels of access saying "either you agree or you can't use this app".

    The user should have control over what they can do and on a case-by-case basis if they want.

    0 0 Reply
    1. Charles 9
      Reply Icon

      Re: "Google should [...]

      Thing is, the seller (developer) should never be compelled to sell. If they want to make it a Hobson's Choice, that's the discretion of the seller. Don't like it? Just don't use it.

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like