Android VPN apps: How to address privacy and security issues
New research on Android VPN apps revealed the extent of their privacy and security flaws. Expert Kevin Beaver explains how IT professionals can mitigate the risks.
With all the security challenges posed by BYOD, advanced malware, shadow IT and more that security professionals encounter over the course of their work, there may be certain risks that get overlooked. Some of these risks include mobile VPN apps and the privacy and security uncertainties they're creating for users and businesses alike.
A new research paper, titled "An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps," analyzed the source code and network communications of 283 mobile VPN apps that use the Android VPN permission. The results weren't so good -- that is, if you value privacy and security.
The research uncovered numerous instances of privacy and security flaws in these Android VPN apps that would get the attention of even the greatest of security nonbelievers. The flaws uncovered included:
- third-party user tracking and libraries used by 75% of the apps;
- access to sensitive Android permissions, such as user credentials and text messages, requested by 82% of the apps;
- malware present in 38% of the apps, according to VirusTotal evaluations;
- VPN permission used by 4% of the apps to implement localhost proxies to intercept and inspect user traffic locally;
- tunneling protocols without encryption implemented in 18% of the apps, the majority of which did not tunnel IPv6 and domain name system traffic;
- nontransparent proxies that modified users' HTTP traffic deployed by 16% of the apps; and
- users' root store compromised and transport layer security interception actively performed in 4 of the apps.
It's surprising we're not hearing more about this research.
This leads to the question: Why are these Android VPN apps so insecure? The straightforward answer is because they can be. Whether or not these are flaws or exploits coded into these mobile apps on purpose, we'll never know. As I told someone who asked me whether an accidental Metasploit shell could be detected, this stuff doesn't happen on its own.
One thing from the paper that's very telling is the following -- despite the system dialogues and notifications Android sends its users about the risks associated with enabling VPN permission, "a large fraction of mobile users may however lack the necessary technical background to fully understand the potential implications."
These are the same users who, according to the study, installed 37% of the apps more than 500,000 times, and provided 25% of them with at least a 4-star rating.
This type of situation is why we have security problems. We continue to miss the boat on big, known security issues and, instead, chase other new and exciting stuff that promises to solve all of our problems. Like the well-crafted phishing emails seen today or downloadable programs dating back to the era of bulletin board systems, if something is made to look and sound reasonable, people will jump on it without any regard for security.
I witness this in my work all the time, especially as it relates to the gullibility of users who have been trained to identify, yet easily fall victim to, spear phishing.
With mobile VPN apps, a case is made that they will make your online usage more private and secure. While it can be argued that VPN app usage provides more privacy and security than no protection at all, users should ask -- who is providing that protection, exactly? Very few people truly know who's behind these apps, or what they're doing with the data potentially being collected unbeknownst to their users.
Enterprise users are downloading and using these types of mobile apps, and they're no doubt creating tangible security risks. The odds are these apps are exposing login credentials that are being used somewhere in the enterprise environment. These apps could also be leaking geolocation information, and they might very well have access to the emails and files that users' devices are transmitting, receiving and storing.
Armed with knowledge regarding these Android VPN apps, what can IT security professionals do about the situation? Whether this falls under your company's BYOD strategy, acceptable usage policies or some other aspect of its security program, such as security information and event management or malware protection, it needs to be addressed starting today.
Obviously, you want to steer clear of any of the apps researched for the paper that might create risks in your particular environment. You might need to do your own vetting of these mobile apps, and may need to standardize on a handful of them.
Tools by vendors such as NowSecure and Checkmarx, combined with network analyzers and other tools, can provide good insight to complement and even validate these new mobile VPN app research findings.
As an alternative, security professionals could encourage or require users to use corporate-issued devices with built-in VPN software, or even downright ban Android VPN apps altogether. Some malware protection or mobile device management controls could help. Even the basic premise of acceptable usage policies is at play here, which most organizations still struggle with. While these challenges can be controlled, it's very uncertain if they will ever be resolved.