Beware: Most Mobile VPNs Aren’t as Safe as They Seem
Between an industry-wide push to encrypt all web traffic and the newfound popularity of secure chat apps, it’s been a boom time for online privacy. Virtual private networks, which shield your web traffic from prying eyes, have rightly garnered more attention as well. But before you use a VPN to hide your online shopping from the IT department at your company—or help protect yourself from state surveillance—know that not all mobile VPNs are created equal. In fact, some are actively harmful.
VPNs offer an array of potential privacy and security benefits, because they put another server between websites and your device. You can use VPNs to conceal the location revealed by your IP address; one common use before a recent crackdown was to access regional content, like US Netflix, from countries with lesser libraries. Ideally, a VPN funnels all your traffic through an encrypted, secure, private network, making it more difficult for a third party to monitor your browsing than if your data were exposed on a public network.
It all sounds great, but isn’t always so rosy practice. That’s because using a VPN grants the company behind it extensive access to your data at the same time that it hides the stream from everyone else. Depending on a VPN’s logging practices and privacy policy, it may be willing and able to turn your browsing history over to law enforcement, or could even sell customer data to marketing services and ad networks. Even worse, malware masquerading as a VPN could do real damage by concealing malicious activity on your device behind a veneer of security protection.
“These days, many people know what a VPN is and what they can do with one,” says Kevin Du, a computer security researcher at Syracuse University and IEEE senior member. “Not many people know what a bad or flawed VPN can do to their devices, because they don’t know how VPN works.”
Trust Falls
VPNs have been around for years, as have their attending trust issues. But while previously VPN enthusiasts were mostly a core base of desktop users, the mobile boom and app store accessibility has created an explosion in mobile VPN offerings. And while some are genuinely looking to offer security and privacy services, plenty do more harm than good.
In a recent in-depth analysis of 283 mobile VPNs on the Google Play Store from Australia’s Commonwealth Scientific and Industrial Research Organization, researchers found significant privacy and security limitations in a majority of the services. Eighteen percent of the mobile VPNs tested created private network “tunnels” for traffic to move through, but didn’t encrypt them at all, exposing user traffic to eavesdropping or man-in-the-middle attacks. Put another way, almost a fifth of the apps in the sample didn’t offer the level of security that’s basically the entire point of VPNs.
Meanwhile, 84 percent of the apps didn’t properly encrypt traffic between sites using the most recent version of the Internet Protocol. And though two-thirds of the apps in the study specifically marketed themselves as enhancing user privacy, 75 percent of those used third-party data tracking libraries, and 82 percent asked for user permission to access additional personal data on devices like text messages.
All of those high percentages add up to one concerning truth: There are more problematic mobile VPNs in Google Play than good ones. The researchers say that Google plans to investigate their findings. Google did not respond to a request from WIRED for comment.
“The apps in our study were used by tens of millions of people around the world,” says CSIRO Data61 researcher Dali Kaafar. “It is crucial to understand that an app that requests a VPN permission will have full control and visibility over the internet traffic of the user and literally can do anything with it once the VPN tunnel is set.”
That means users of bad VPNs aren’t just vulnerable to snooping, Kafar says. “You can easily imagine what a misbehaving or a malicious app could do in terms of redirecting user traffic, injecting malicious code, accessing sensitive information etc.”
“Free” Will Cost You
For consumers and organizations trying to improve their security by using a VPN (shielding their web traffic from potentially malicious snooping) and/or guarding their privacy (making it more difficult for government or other entity to know what they do and say online), it’s hard to know where to turn. They probably don’t have the technical skills to analyze a service for potential flaws. And some VPN company claims—like the important question of whether a service logs data about each of its users that could later be accessed by a third party—are basically impossible to verify.
One quality indicator is whether a VPN is free or costs money to use. The question with free VPNs, as with all free apps, is whether their business model involves capturing and selling user data. “The economics didn’t make much sense because when you start looking at these applications, most of them are free but maintaining online infrastructure is actually very expensive,” says Narseo Vallina-Rodriguez a researcher at the International Computer Science Institute who worked on the study.
Even using paid VPNs instead of free ones doesn’t guarantee reliability, though. While paid VPNs may have less incentive to sell user data, that still doesn’t necessarily mean they implement the strong security and privacy protections users expect. Experts recommend choosing a VPN that’s well-known, is developed by a reputable company or group, has a good public security track record, and at least makes an effort to be transparent about its priorities, goals, and privacy policy.
The good news is that the CSIRO researchers did find some gems. They specifically lauded F-Secure Freedome, an app that encrypts what it says it will and offers quality ad-blocking to boot. Sure, it’ll cost you $6 per month. But online privacy is like anything else in life: You get what you pay for.