Android VPN flaw found, exposes protected data

Security researchers at Ben Gurion University claim to have found a flaw in Android's VPN implementation that leaves what should be protected communications completely exposed.
Written by Liam Tung, Contributing Writer

Security researchers have claimed a flaw affecting Android 4.3 can be used to hijack unencrypted communications from an active VPN connection.

According to researchers at Ben Gurion University's (BGU) Cyber Security Labs, a malicious app can be used on bypass VPN connections on Jelly Bean devices and push communications to a different network address.

In a video, the researchers demonstrate a malicious app being used to capture subject header details from an email that was sent while a VPN connection was active. The data was captured in unencrypted format, leaving what should have been protected data completely exposed, the researchers note.

"This vulnerability enables malicious apps to bypass active VPN configuration (no root permissions required) and redirect secure data communications to a different network address. These communications are captured in clear text (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure," the researchers wrote on Friday.

Their new find follows a bug that BGU previously claimed to have found in Samsung's secure app container Knox, which, also relied on a malicious app to bypass the security feature to intercept outgoing communications data.

Samsung and Google later denied it was a flaw in Android or Knox, but admitted the researchers' attack used legitimate Android functions in an unintended way. Despite denying it was a flaw, one of Samsung's recommendations to mitigate the exploit was to use Android's built-in VPN or its support for a third-party VPN.

According to BGU, the new attack is related to the Knox exploit, and works against a properly configured VPN on Android 4.3 devices from multiple vendors. While the exploit can also affect SSL/TLS traffic, it remains encrypted after capture. 

The researchers said they had filed a report with Google, which is yet to respond to the claimed vulnerability.

ZDNet has asked Google for comment and will update the story if it receives one.

More on Android security

Editorial standards