Security Review of 281 Android VPN Apps

Researchers from the University of Michigan developed the MVPNalyzer toolkit to detect information leaks and analyze VPN performance, and used it to check 281 VPN applications for the Android platform. The most popular VPN applications distributed through the Google Play catalog were selected for study. VPN applications that have been identified as having security and privacy issues account for a total of 2.4 billion installations.

Key findings:

  • In 61 applications (22%), data transmission without encryption was detected outside the established tunnel. Most of the apps in this category are popular and have an average of 11 million installations. In 18 applications, a direct call was made to the ip-api.com service to determine the location using the client’s IP address.
  • In 5 cases, configuration files containing parameters for connecting to the VPN server were transferred to the client without encryption. The researchers conducted an experiment and confirmed the possibility of carrying out a MITM attack, which allows them to redirect traffic to their server, having the ability to wedge into the victim’s communication channel, for example, connected to a public wireless network controlled by the attacker. Problematic applications (a complete list of all applications in which problems have been identified is provided on page 17 of PDF report):

    • BambooVPN: Turbo Fast VPN (free.vpn.unblock.proxy.bamboovpn);
    • VPN Pro (com.nebulatech.voocvpnpro);
    • Free VPN (com.appoxide.freevpn);
    • Hexa VPN (com.secure.vpn.proxy);
    • 101 VPN (com.shwe.vpn101).

    Researchers notified the authors of these applications about the problems and after some time they re-checked the latest versions, which showed that the vulnerability was fixed in only two applications – VPN Pro and Hexa VPN.

  • When 29 applications (10%) are
/Reports, release notes, official announcements.