Free Mobile VPN Security Holes
Are you using a VPN (virtual private network) app on your mobile phone, with the understanding that it provides privacy and anonymity for your online activities? It may be having the opposite effect. An investigation of free mobile VPN apps reveals widespread potential privacy leaks, and even malware that can log users’ activity – the very thing a VPN is supposed to prevent. Read on to learn what problems were found and what VPN apps are free of them...
Problems With Free VPN Apps
I always try to translate technospeak into plain English, so let's start with a definition and an explanation. A VPN (Virtual Private Network) is a service that lets you access the Internet anonymously by routing your requests through a server that fetches information and relays it back to you. You tell the VPN what web page you want, the VPN fetches it, and sends it back to you. The website knows only that the VPN visited, not you. Not even your Internet service provider can see your online activity.
This investigation of free VPN apps was conducted by Metric Labs, Ltd., of London. The firm’s main business is the Top10VPN.com site, which helps users find a paid VPN service that meets their needs. Metric Labs makes commission money when a user buys VPN service, so it is not an independent source of information. But I believe their analysis is still worth heeding.
Metric’s investigation of the top 150 free VPN apps for Android found that about one in five apps contain code that may be malware, while one-quarter of the apps have user privacy bugs such as DNS leaks and location logging. There have been more than 260 million downloads of the top 150 apps worldwide.
DNS leaks were found in 38 of the 150 apps. Simon Migliano, chief security researcher for Metric, explained DNS leaks: “This security flaw occurs when a VPN fails to force DNS requests through its encrypted tunnel to its own DNS servers and instead permits the DNS requests to be made directly to the default ISP DNS servers. Even though the rest of a user’s traffic is concealed, such a leak exposes a user’s browsing history to their ISP and any third-party DNS server operator that it may use.”
If that still sounds a little geeky, let me explain further. A DNS (domain name service) request is used to translate a website name (ie: www.google.com) into the numeric address needed to connect you to that site. A VPN should always cloak your DNS requests, but some are failing to do that, which can reveal to outsiders what sites you are visiting. And that's a privacy fail. A VPN is supposed to hide ALL of your activity.
The 150 apps were uploaded to TotalVirus, a service that uses 60 antivirus engines to detect sketchy code. Twenty-seven of them (18%) tested positive for potential viruses or malware.
Intrusive permissions were requested by a majority of the free VPN apps. “None of these permissions is necessary for the core functions of a VPN and each has the potential for privacy abuses,” says Metric Labs’ report. The permissions most often found involved reading/writing of external storage, accessing location data, and reading a device’s state including its phone number, whether a call is in progress, and the phone number being called.
Privacy-risking Java commands and functions were found in many free VPN apps. These functions, according to Metric Labs, serve no obvious purpose in a VPN and could be exploited to invade privacy. Examples are getLastKnownLocation (found in 87 apps), java/lang/Runtime;?exec (48 apps, executes system commands), and getDeviceId (45 apps, reads device’s phone number, operating system version, and other info).
While it’s tempting to name and shame the free VPN apps that have major flaws, it seems more constructive to highlight apps that do not. Below are the some apps that had no leaks, virus/malware infections, intrusive/risky permissions, or privacy-risking Java code. You can read the full report here.
The apps on this list are not guaranteed to be 100% safe. They may be, but they may also harbor other flaws. Last November, Metric Labs revealed that more than half of the top 20 VPN services are run by secretive, Chinese-owned companies with weak or non-existent privacy policies. Several of those privacy policies explicitly stated that they DO share data with China!
Are paid VPN services any better? Metric Labs did not test the apps of any paid services, so we don’t know. But Metric’s report on free VPN apps proves that you get what you pay for.
Personally, I don't feel the need to use a VPN app on my phone. Almost all websites use HTTPS for encrypted connections, so I'm not worried about someone intercepting my emails or online banking information. The only added privacy a VPN would provide is to hide my actual IP address from the websites I visit, and I'm not concerned about that either.
A VPN service can be used to get around blocks imposed by content providers or the user's own government. Netflix and Hulu Plus, for example, do not allow connections from outside the USA. So users in other countries have used VPNs located in the USA to gain access. Users in China are forbidden from accessing many "Western" websites such as Twitter, YouTube, and Facebook. By using a VPN server, they can (sometimes) get around those blocks.
Do you use a VPN? If so, why? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 24 Jan 2019
|For Fun: Buy Bob a Snickers.|
Geekly Update - 23 January 2019
The Top Twenty
[SHAKEN OR STIRRED?] Blocking Phone Scams and Robocalls
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Free Mobile VPN Security Holes (Posted: 24 Jan 2019)
Copyright © 2005 - Bob Rankin - All Rights Reserved