​VPNs are not as private as the name suggests: CSIRO

The Commonwealth Scientific and Industrial Research Organisation (CSIRO) has warned users of virtual private networks (VPN) that they may not be as secure as the name suggests. Check out our guide on what is a VPN if you need preliminary research.

The CSIRO recently looked at 283 Android VPN apps, investigating a wide range of security and privacy features to compile its report [PDF], An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps.

The research organisation found that 18 percent of the apps probed fail to encrypt users' traffic, with 38 percent injecting malware or malvertising straight into the user's device, and over 80 percent requesting access to sensitive data such as user accounts and text messages.

16 percent of the analysed VPN apps deploy non-transparent proxies that modify a user's HTTP traffic by injecting and removing headers or performing techniques such as image transcoding.

In addition, two VPN apps were found to be actively injecting JavaScript code on user traffic for advertisement and tracking purposes, with one redirecting ecommerce traffic to external advertising partners.

"The very reason users install these apps -- to protect their data -- is the very function they are not performing and these apps have been installed by tens of millions of users," the report says.

While most of the examined apps offer "some form of" online anonymity, the CSIRO said that some app developers deliberately sought to collect personal user information that could then be sold on to external partners.

Less than 1 percent of users, however, had any security or privacy concerns about these apps.

18 percent of VPN apps were found to implement tunneling technologies without encryption, while 84 percent and 66 percent of apps were leaking IPv6 and DNS traffic, respectively. As a result, these apps do not protect user traffic against in-path agents performing online surveillance or user tracking, the report explained.

The app descriptions on the Google Play Store, however, for 94 percent of the IPv6 and DNS leaking apps claim to provide privacy protection.

Before publishing its report, the CSIRO reached out to developers whose apps displayed security shortcomings, noting that several took action to fix vulnerabilities, with some apps removed from the Google Play Store as a result.

"Despite the fact that Android VPN-enabled apps are being installed by millions of mobile users worldwide, their operational transparency and their possible impact on [a] user's privacy and security remains 'terra incognita' even for tech-savvy users," the report concludes.