A group of authors created an academic report about the Android market for virtual private networks (VPNs), and the report has uncovered a number of serious issues. The contains technical input from numerous industry specialists including the University of California at Berkeley and an Australian research agency CSIRO. Experts assessed many VPN apps available from the Google Play Store, close to 300 of them. These apps are downloaded, installed with various permissions and then run as users believe their online activity is kept safe. This is not the case because 67 percent of tested Android VPN clients claim to offer enhanced online privacy and security but 75 percent use third-party tracking libraries. An even higher proportion of them requested permission to access sensitive content like user accounts and text messages, and 18 percent of apps didn’t even encrypt data. Close to 40 percent of tested VPN clients contained malware or “malvertising” as measured by the VirusTotal service. Some VPN clients even explicitly allowed developers to intercept data, although each developer explained that this was in order to accelerate internet traffic.
These statistics make for scary reading for people worried about their online security. Android has supported embedded VPN clients since version 4.0 Ice Cream Sandwich released over five years ago. Google has included a warning in Android that using the VPN means that Internet traffic is routed through another service, but the authors of this report note that “a large fraction of mobile users may, however, lack the necessary technical background to fully understand the potential implications.” The report goes on to explain that many customers are installing applications without understanding how their data may be used, controlled, or (not) kept safe. The team looked at negative reviews from the Google Play Store and found that approximately one-third of negative reviews of VPN clients stated that battery life or bugs were an issue, but the number of users with security concerns did not even reach one percent. The authors note that people are largely oblivious to the risks of using an insecure VPN client.
There are many articles detailing why the use of an open Wi-Fi hotspot is not a safe internet practice, and many Internet users have at least tried a VPN service. VPN apps are tempting for Android users as they remove the need to go through device Settings, but for some VPNs, it would appear that routing traffic through their service provides the company with all of our online data. The risks of using an open Wi-Fi hotspot are difficult to quantify, but it seems that using the wrong VPN service is potentially a far more invasive practice. The report authors do explain that a paid VPN service gives the developers less of an incentive to manipulate your Internet traffic and look through your connection logs. That still doesn't offer any guarantees as customers are still trusting another company with their Internet data.