Android VPN flaw found, exposes protected data

Android VPN flaw found, exposes protected data

Summary: Security researchers at Ben Gurion University claim to have found a flaw in Android's VPN implementation that leaves what should be protected communications completely exposed.

TOPICS: Security, Android

Security researchers have claimed a flaw affecting Android 4.3 can be used to hijack unencrypted communications from an active VPN connection.

According to researchers at Ben Gurion University's (BGU) Cyber Security Labs, a malicious app can be used on bypass VPN connections on Jelly Bean devices and push communications to a different network address.

In a video, the researchers demonstrate a malicious app being used to capture subject header details from an email that was sent while a VPN connection was active. The data was captured in unencrypted format, leaving what should have been protected data completely exposed, the researchers note.

"This vulnerability enables malicious apps to bypass active VPN configuration (no root permissions required) and redirect secure data communications to a different network address. These communications are captured in clear text (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure," the researchers wrote on Friday.

Their new find follows a bug that BGU previously claimed to have found in Samsung's secure app container Knox, which, also relied on a malicious app to bypass the security feature to intercept outgoing communications data.

Samsung and Google later denied it was a flaw in Android or Knox, but admitted the researchers' attack used legitimate Android functions in an unintended way. Despite denying it was a flaw, one of Samsung's recommendations to mitigate the exploit was to use Android's built-in VPN or its support for a third-party VPN.

According to BGU, the new attack is related to the Knox exploit, and works against a properly configured VPN on Android 4.3 devices from multiple vendors. While the exploit can also affect SSL/TLS traffic, it remains encrypted after capture. 

The researchers said they had filed a report with Google, which is yet to respond to the claimed vulnerability.

ZDNet has asked Google for comment and will update the story if it receives one.

More on Android security

Topics: Security, Android

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This + the awesome state of Android patching/updates

    ...makes Android a terrible choice for enterprises.
    • And yet...

      Android still has fewer bugs than some if its competitors in the OS vertical. But let's be realistic here... Android isn't intended to be an enterprise OS. It's marketed to the consumer vertical. Why would anyone expect an operating system designed for a phone would be a good choice for the enterprise market? An OS for a device, maybe, but devices rarely use a VPN. I can't remember ever seeing something like a scanner using VPN software.
    • No VPN on Windows phone 8

      Windows phone 8 does not even have VPN. So it would be a terrible choice for enterprises.
      • Android VPN

        Window phone 8 does not have VPN but Android have.. and most of the people use Android .. there are still many Android VPN providers who claim the high security and provide different protocols... you can search bestvpnservice site then add this /blog/best-android-vpn
    • New Android vulnerability ....

      If you use a VPN then you need to be cautious however as it says in the article the details of the vulnerability aren't public so it is doubtful that others have reproduced it. Also you need to install a malicious app which will do the divert. If you stick to Google Play you should be fine. However if you live in a country with an oppressive regime I would switch to using something else for accessing the Internet via a VPN.

      If you don't use a Android VPN then nothing has changed, Android is as it was before.
  • lol... because a virus on window can't?

    This is talking about an installed malicious app stealing data on android.

    On windows which is supposedly an enterprise plateform, a virus can take full control of the machine and all data coming in and out of it.. At least android tries to sandbox apps. Which is more than windows does.
  • Read this carefully the reast are also vunerable not just the android.

    The key to this is unencrypted communications if you use a wireless hotspot all unencrypted communications can be captured using a data duplicator.
    Any use of unencrypted communications is a problem whether you have an android, ipad, iphone, blackberry, pc, Mac or unix computer. The thing is to use an encrypted vpn client.
    Samsung is right use an IPsec vpn and this is a non issue.
  • Android Vpn

    You can watch Netflix just need to setup VPN on your android. Yes there are few vulnerabilities in built in VPN. I always recommend to choose good 3rd part VPN option to secure your android and access all geo-restricted sites. Now there are not much difficulties to setup VPN on your android. It is now become as easy as pie. Here you can find out the list of top android vpn apps which let you to access Netflix: vpnranks(dot)com/android-vpn/