
Privacy and Security Risks of Android VPN Permission-enabled Apps - sohkamyung
https://blog.csiro.au/tinker-torrentor-streamer-spy-vpn-privacy-alert/
======
terrywang
People should NOT trust free VPN services at all, as you don't pay level of
service is not guaranteed. What's worse, who knows what the service provide is
doing with the data flowing through the tunnels (to)? cover the operational
cost (and goal for profits)

Install and configure your own VPN services (IPsec or OpenVPN), use strongSwan
(Android native client which works great with RSA authentication with x509
certs, now supports importing VPN profiles in json format, cool) and OpenVPN.

Several past discussions on hacker news to start with:

\-
[https://news.ycombinator.com/item?id=13351211](https://news.ycombinator.com/item?id=13351211)

\-
[https://news.ycombinator.com/item?id=13425728](https://news.ycombinator.com/item?id=13425728)

~~~
daurnimator
> People should NOT trust free VPN services at all, as you don't pay level of
> service is not guaranteed.

The corollary is that ones you pay for should not be trusted either: a service
can both take your money _and_ insert ads.

huh.... reminds me of pay/cable tv....

~~~
terrywang
Actually, I missed this point. Thank you for pointing out ;-)

I think that's why more and more open source tools (scripts or automation
{cook,play}books, etc.} have been made available to enable people to self
serve and build their own VPN service ;-)

~~~
laumars
The problem with personal VPN services is that it can be pretty trivial to
reverse who the traffic is coming from (eg by requesting the billing address
from the VM hosting provider).

This may not be an issue for some people and for those who it is an issue,
there are ways around it (I'll leave that part of the post for someone more
experienced than I as I don't want to risk giving out bad advice). But it's
worth baring in mind when signing up for a VPS in view of running a VPN.

~~~
leni536
And your VM hosting provider can still MITM you.

~~~
laumars
I think that's pretty unlikely to be honest - or at least easily avoided.
There's enough reputable hosting providers out there (Amazon, Google,
Microsoft, OVH, Digital Ocean, etc etc) that there isn't really any excuse for
signing up with a provider who does MITM your VMs traffic.

That all said, I'm not excluding the possibility of providers logging network
connections passively. The way around that is to run more than one VPN; that
way any particular provider only has visibility of either the destinations but
not the source, or the source but not the destinations. I'm not recommending
that people _need_ or _should_ run two VPNs though - just adding it as a
workaround against passive snooping by hosting providers.

------
astrobase_go
From TFA:

> We test individually each one of the 150 VPN apps under consideration.

> Two people executed a total of 5,340 tests manually for three months and
> connected to all end-points mentioned in the GUI of a given VPN app.

Okay, that's brilliant, but I'd love to see the actual data as well. Even if
it's impractical to include the data in an appendix (page number limitations
in the published work, et cetera), hosting it online and linking to it in the
article would be great.

I'm a scientist and geek. Show me the data!

------
angry_octet
It is no surprise that 'free' VPNs don't work or compromise security.

Would be good to see the actual list of VPNs that comply with basic security
requirements.

~~~
resfirestar
TorrentFreak maintains a list of providers that responded to a questionnaire
about anonymity, including one about encryption used:
[https://torrentfreak.com/vpn-anonymous-
review-160220/](https://torrentfreak.com/vpn-anonymous-review-160220/)

Personally, I prefer the "roll your own" approach mentioned above. A VPS from
DigitalOcean or something beats most providers' pricing.

~~~
gog
There is no anonymity if you roll your own.

The whole idea of VPN providers is that a lot of users have a connection to
the same server so it's hard to monitor who talks to who.

~~~
throwanem
Perhaps you're confusing VPNs with Tor. The latter seeks to provide anonymity;
the former protects traffic traveling over a potentially untrustworthy
network. Sure, a lot of folks seem to use VPNs lately as just a proxy to
bypass geoblocking or whatever, and that works if the upstream endpoint is in
the right place - but that's no reason to get confused about what the tool
under discussion actually is able to do.

~~~
gog
I am not confused there are just more cases.

A lot of people are using VPN providers to download illegal content via
torrents. And in case there are no logs on the servers (which most providers
advertise) the copyright holder has no way of knowing who you are since they
only see that the traffic is coming and going from the providers IP address.

~~~
throwanem
Those people are in for a series of nasty surprises if copyright enforcement
ever grows teeth, because whoever's providing such a VPN service with backhaul
certainly has enough information to tie them to their activity.

~~~
gog
If they don't store logs they don't have enough information. That is the
reason why a lot of companies that provide this service are incorporated in
countries that don't require them to do so.

~~~
throwanem
I can run a VPN service and not store logs. I can't prevent whoever sells me
that service's bandwidth from storing logs, which they likely will do for
troubleshooting purposes if nothing else.

------
exclusiv
Why would you need a third party app on Android? I just use the native VPN
support over ipsec. Or are people using them for older Android installs?

~~~
pimeys
What I've noticed is that if you pay for premium service, the apps keep the
connection up way better and offer nice features, like switching your country
from an easy menu.

Tha being said I've been quite happy with
[http://privateinternetaccess.com/](http://privateinternetaccess.com/). A good
Android client, fast, don't ask any personal information when you register,
they say no logging, the Android app doesn't ask any permissions and so on. I
can choose the key length and additionally block all connections if the VPN is
not connected.

~~~
dcdevito
I agree, PIA is fantastic, been using it for years. Works great on mobile, I
use it on my Android phone and iPhone.

------
sohkamyung
Paper (PDF) at [1]

[1] [ [https://research.csiro.au/ng/wp-
content/uploads/sites/106/20...](https://research.csiro.au/ng/wp-
content/uploads/sites/106/2016/08/paper-1.pdf) ]

------
homulilly
looked at the report to see if they'd reviewed torguard and apparently they...
don't realize it's a VPN service and think it's related to the onion router.
Kinda undermines they're credibility a bit if they can't even identify the
tools they're auditing properly.

~~~
nl
Actually, their report is much more credible because they note the difference
between TorGuard (and a few similar apps) vs normal VPNs. To actually quote
the report[1]:

 _67% of Android VPN apps claim to provide traditional VPN services (labeled
here as “VPN clients”) including enhanced security and privacy, anti-
surveillance or tunnels to access geo-filtered or censored content. Note that
we consider Tor clients (e.g., Orbot, Globus VPN] and TorGuard VPN client) as
a separate category._

That seems a pretty fair distinction.

Notably, the report doesn't include the word "onion" in it at all, so I'm not
sure where you got "[they] think it's related to the onion router" from.

[1] [https://research.csiro.au/ng/wp-
content/uploads/sites/106/20...](https://research.csiro.au/ng/wp-
content/uploads/sites/106/2016/08/paper-1.pdf)

~~~
ajdlinux
Tor == "The Onion Router".

TorGuard == something completely unrelated to Tor. Per the TorGuard website
([https://torguard.net/faq.php](https://torguard.net/faq.php)):

"Is TorGuard related in any way to the “tor” project? No, The reference to
"tor" in TorGuard relates to "torrents" and guarding one’s privacy when using
bitorrent. We are not related in any way to the “tor” project however the
company does support through donations."

Orbot, OTOH, is part of the Tor Project
([https://www.torproject.org/docs/android.html.en](https://www.torproject.org/docs/android.html.en))
and Globus
([https://play.google.com/store/apps/details?id=com.globus.vpn...](https://play.google.com/store/apps/details?id=com.globus.vpn&hl=en))
claims to support Tor.

~~~
nl
Well that's.. stupid.

Ok, I entirely agree they (and I) are wrong. But obviously I'm going to take
the position that it isn't unreasonable to think something called "TorGuard"
has something to do with Tor.

~~~
homulilly
If you're just doing a google search then yeah it's reasonable. It's less so
when you're a professional who's supposed to be an expert on these things. If
you can't spend more than 5 seconds double checking the accuracy of your
research why should I trust it?

------
CSDude
As far as I know, Android VPN API does not expose setting up IPSec or IKEv2,
it just creates a TUN device and forwards all the IP packets to you, it is
upto you to handle it, therefore most devs I guess just sends the packet
without encrypting. This does not mean they should be insensitive, but it is
not suprising the most people have chosen the easy way. I guess iOS allows
setting IPSec and IKEv2 VPN profiles, but did not try it. And, to actually
create a TUN-device like functionality, it requires manual permisson from
Apple, as OpenVPN did.

------
kebolio
Many I know who have recently started using these free VPNs only do so to
skirt content filtering on free wireless networks. They do not have any
expectation of security or privacy and are not conscious of the possibility of
their traffic being collected or inspected by a rogue third party.

------
scandox
Slightly off topic, but I'd be interested while I have the VPN people here to
hear opinions about Softether. I've been using it for a while and like it. But
I can't get much independent information about it from a security point of
view.

~~~
chatmasta
I once looked extensively into Softether. It's the work of a Japanese
professor and his lab. It's over a million lines of code because squeezes
different VPN protocols into one server. IIRC it might even require some
binaries as a prerequisite to installation. Nobody has ever audited its source
code (how could they? it's million+ lines), and it has not popular long enough
to have faced serious scrutiny.

I would assume it to be insecure against a motivated attacker.

~~~
scandox
That's interesting. Guess that might be a problem for the people who use
[http://www.vpngate.net/en/](http://www.vpngate.net/en/) which I know the
Softether guys created expressly to help people circumvent Governmental level
firewalls.

------
mwexler
They don't really mention anything about Opera VPN... but they do call out
it's previous incarnation, Surfeasy, for the use of tracking/ad libraries. I
wonder if the current Opera branded version has removed those or not...

------
raverbashing
I wonder what's the breakdown between free and paid apps

But yeah "free VPN" sounds exactly like "free credit card check"

------
gcb0
considering 99% install a vpn on android for two reason:

1\. bypass content restrictions by geoip (e.g. pandora, netflix)

2\. a vpn that is just a local traffic monitor to tweak iptables(?) and block
apps from using the network (to download ads). (e.g. netguard)

------
akjainaj
>Only less than 1% of the negative re- views relate to security and privacy
concerns, including the use of abusive or dubious permission requests and
fraudulent activity, for the 9 apps listed in Table 7.

Of course. People don't install these VPN apps because they want their traffic
to be "secure" or "private". They install them because they want to bypass
geographical restrictions for content.

Nobody cares about traffic being insecure, or ads being injected in pages--
users just want to see that geolocked video and get on with it.

------
dcdevito
TL;DR Get yourself a good, paid VPN service

------
necklace
Wait, there are people who don't use OpenVPN when they set up VPN on Android?
Nice.

