Recent research conducted by a team from Arizona State University and Citizen Lab has unveiled surprising connections among three families of Android VPN applications, which collectively boast over 700 million downloads on Google Play. These findings raise significant concerns about user privacy and security in the increasingly complex landscape of virtual private networks.
Finding the secret links
VPNs are often marketed as essential tools for safeguarding online privacy, securing internet traffic, and protecting users from surveillance. However, the consumer VPN market is notoriously opaque, making it challenging for users to make informed decisions regarding their online security. Researchers Benjamin Mixon-Baca, Jeffrey Knockel, and Jedidiah R. Crandall have meticulously analyzed a range of Android VPN applications that obscure their ownership, revealing hidden affiliations among them.
The researchers gathered data from various sources, including provider websites, Google Play pages, business filings, and social media accounts. They conducted both static and dynamic analyses of the applications’ APKs. “We analyzed each for security issues, finding that, in addition to sharing other code similarity features, each family of apps also shared problematic security properties. These shared flaws themselves serve as a signature by which to map relationships between providers,” the researchers explained.
The analysis identified three distinct families of VPN providers:
- Group A: This group consists of eight apps from three providers that share nearly identical Java code, libraries, and assets. They support IPsec and Shadowsocks using the same libraries and exhibit similar security vulnerabilities, including:
- Collecting location-related data despite privacy policies claiming otherwise.
- Utilizing weak or deprecated encryption methods.
- Containing hard-coded Shadowsocks passwords that, if extracted, could allow attackers to decrypt user traffic.
- Group B: Comprising eight apps purportedly developed by five distinct providers, this group supports only the Shadowsocks protocol. They share the same libraries, connect to the same Shadowsocks service, and utilize identical hard-coded passwords. Notably, all of Family B’s VPN servers are hosted by a single entity, GlobalTeleHost Corp.
- Group C: This group includes two providers, each distributing one mobile VPN app. They employ a custom tunneling protocol and exhibit structurally and functionally similar source code, along with shared obfuscation and anti-reverse engineering measures. Both are vulnerable to connection inference attacks.
The danger for users
The researchers emphasize that the undisclosed collection of location data constitutes a significant breach of user trust, particularly given the explicit assurances provided by the VPNs. “The client-side blind in/on-path attacks allow an attacker to infer with whom a VPN client is communicating. Most critically, on many of the VPNs we analyzed, a network eavesdropper can use the hard-coded Shadowsocks password to decrypt all communications for all clients using the apps. These weaknesses nullify the privacy and security guarantees the providers claim to offer,” they noted.
Perhaps most alarming is the revelation that these VPN providers appear to be owned and operated by Qihoo 360, a Chinese company that has taken extensive measures to conceal this connection from its vast user base. The researchers speculate that this strategy may be aimed at mitigating potential reputational damage while keeping operational costs low and management streamlined.
Earlier this year, the Tech Transparency Project (TTP) also uncovered links between Qihoo 360 and numerous free VPN applications available on Apple’s App Store. TTP found that 20 of the top 100 free VPN apps were owned by companies or individuals based in mainland China or Hong Kong, yet failed to disclose their ties to China.
“VPN apps can pose serious risks because the companies that provide them can read all the internet traffic routed through them. That risk is compounded in the case of Chinese apps, given China’s strict laws that can compel companies to secretly share access to their users’ data with the government,” the initiative stated.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities, and cybersecurity threats. Subscribe here!
