“Gartner Listed - mobile application security guide”

February 14, 2017

VPN apps putting users at risk

A number of Virtual Private Networks are exposing users to Android app security risks instead of keeping users online Android app security testing has shown. New research from the Commonwealth Scientific and Industrial Research Organization (CSIRO Data61),University of New South Wales, Australia and the University of California at Berkeley  discovered that hundreds of VPN apps are exposing users to weak Android app security, malware, spying and code injection. These VPN apps are all available on the Google Play Store.

Of the 238 total apps studied 38 percent contained malware, 75 percent used a minimum of one thirdparty tracking library, and 82 percent asked for permission to access user text messages and accounts. Three of the apps were designed to intercept bank, messaging, and social network traffic.

The researchers tested the Android apps using VirusTotal and determined the app with the most malware was OkVPN, with 1000 downloads, was contained a lot of malicious content.

There were a number of apps with upwards of a million downloads and enthusiastic reviews that anti-virus software flagged for malware such as Butternet, with over five million downloads, and One Click VPN with over a million downloads. Around a fifth of the VPNs apps fail to encrypt their files for protection. 16 percent cannot route user traffic as they don’t have dedicated online servers. Instead, they move the traffic through other users using the same app.

Hola VPN got in trouble in 2015 for routing user traffic  through other users. Hola VPN had about 46 million subscribers at that time, and was subject to extreme criticism for not sharing its traffic routing method.

Android app security is suffering at the cost of these insecure VPN accounts, breaking Android’s sandboxing Researchers also figured that 37 percent of analyzed VPNs were installed more than 500, 000 times.

Codified Security is here to help make your mobile app secure whether it’s for iOS, Android app security testing, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.