Tinker, Torrentor, Streamer, Spy: VPN privacy alert

By Kate Winckworth

25 January 2017

Hooded person holding a red card

Virtual Private Networks aren’t as private as the name suggests.

Have you ever been spied on? Or worse, maybe you have and don’t even know it.

Whether it’s the Peeping Tom lurking in the bushes or Big Brother monitoring our every move, the thought of being followed makes us uncomfortable (and a tad paranoid).

Privacy is important to us – both our physical and virtual privacy that is. Our online identities are extremely valuable, however, our ability to control who sees what is limited.

With more personal information being collected than ever before, people are seeking to secure and anonymise their data.

You may have heard of this thing called a VPN – Virtual Private Network? No doubt you won’t need much schooling on what a VPN is if you are: a) a regular torrent user or b) a sports enthusiast trying to watch the latest game behind a region-restricted pay wall.

But now that mobile phones are essentially mobile computers, millions of users worldwide are turning to mobile VPN apps to hide their browsing activity, access region-restricted content and ensure their data is secure when using public Wi-Fi networks.

We recently published a report with the University of New South Wales and the University of Berkeley has revealed that these apps are not as secure as they make out to be.

The first analysis of its kind, the report looked at 283 Android VPN apps, investigating a wide range of security and privacy features.VPN facts from the study

Alarmingly, the report uncovered that not only did 18 per cent of the apps fail to encrypt users’ traffic but 38 per cent injected malware or malvertising – software designed to damage or gain access to the users’ information. The very reason users install these apps – to protect their data – is the very function they are not performing and these apps have been installed by tens of millions of users.

And what’s more, the report found that over 80 per cent of apps requested to access sensitive data such as user accounts and text messages.

While most of the examined apps offer (some form of) online anonymity, some app developers deliberately sought to collect personal user information that could then be sold on to external partners.

Ironically, the report found that less than 1 percent of users had any security or privacy concerns about these apps.

Our Professor and Senior Principal Researcher in Online Privacy and Security, Dali Kaafar explained that the findings of the study were shared with developers whose apps displayed security shortcomings.

“Several of them [app developers] took actions to fix the identified vulnerabilities.  Some apps were even removed from the Google Play Store,” said Mr Kaafar.

Mr Kaafar encourages users to shop around, compare functionality and read app reviews before signing up to a particular VPN app to avoid falling for the illusion of privacy that some of these apps offer.

“Always pay attention to the permissions requested by apps that you download. This study shows that VPN app users, in particular, should take the time to learn about how serious the issues with these apps are and the significant risks they are taking using these services.”

Read the full report here.

Save