How Secure Is Your Android VPN App?

Andrew Orr In the News

A research paper [PDF] from the University of California and Commonwealth Scientific and Industrial Research Organisation (CSIRO) analyzed a group of Android VPN apps. They found that these particular apps had privacy and security issues.

Further Reading

VPN On Chromebook: How To Set It Up

Why Switzerland is a great place for a VPN

More people are starting to realize the benefits of using a virtual private network. But without a lot of tech knowledge, it’s easy to assume that all VPNs are created equal. They are not, and this analysis shows this. Additionally, it’s rare for a VPN to be free and protect user privacy. VPN services need to make money to continue operating. Some companies offer a free app while collecting user data to sell to advertisers.

In summary, a VPN protects a user’s IP address as they browse the web. Web traffic passes through the VPN server instead of going directly to the user. The research team analyzed over 280 Android VPN apps, examining them for privacy and security issues. Their results show that many free and premium VPN apps on Android are insecure.

VPN App Chart

Key Findings
  • 67% of Android VPN apps say they will protect user privacy. 75% of those apps use third-party tracking libraries, and 82% asked for system permissions like accessing SMS messages.
  • 37% of these apps had over 500k downloads, with 25% had at least 4-star ratings. Over 38% of the apps had signs of malware as shown on VirusTotal.
  • 18% of the apps use tunneling protocols without encryption.
  • 66% of these apps didn’t tunnel DNS traffic.
  • 18% of the VPN apps didn’t reveal “the entity hosting the terminating VPN server,” while 16% of the apps might end up forwarding traffic using peer-to-peer forwarding.
  • 16% of the VPN apps deployed non-transparent proxies that modified HTTP traffic, such as injecting or removing headers. Two apps injected JavaScript for ad and tracking purposes.
  • Four of the apps performed TLS interception

As you can see, these VPN apps aren’t telling the full truth when they claim to protect their users’ privacy and security. The researchers say that Google needs to reevaluate the VPN permission model on Android. For example, the BIND_VPN_SERVICE permission breaks Android’s sandboxing.

VPN Comparisons

What About LiquidVPN?

Unlike these apps, LiquidVPN doesn’t track users, skimp on encryption, forget to tunnel DNS traffic, install malware, read your SMS messages or modify your host headers. LiquidVPN is based on OpenVPN, which is an open-source VPN implementation that many reputable VPN companies use. LiquidVPN requires fewer permissions than even the standard OpenVPN app. The only permissions the LiquidVPN app requires are:

  • View Network Connections
  • Full Network Access
  • Run at Startup

These permissions are required for the LiquidVPN app to work. It can run on startup so that you are automatically connected to a VPN whenever possible. And it needs network access and connections to tunnel your web traffic to our servers. LiquidVPN is not free but you get what you pay for. If your interested try LiquidVPN today.