Between an industry-wide push to encrypt all web traffic and the newfound popularity of secure chat apps, it's been a boom time for online privacy. Virtual private networks, which shield your web traffic from prying eyes, have rightly garnered more attention as well. But before you use a VPN to hide your online shopping from the IT department at your company---or help protect yourself from state surveillance---know that not all mobile VPNs are created equal. In fact, some are actively harmful.
VPNs offer an array of potential privacy and security benefits, because they put another server between websites and your device. You can use VPNs to conceal the location revealed by your IP address; one common use before a recent crackdown was to access regional content, like US Netflix, from countries with lesser libraries. Ideally, a VPN funnels all your traffic through an encrypted, secure, private network, making it more difficult for a third party to monitor your browsing than if your data were exposed on a public network.
It all sounds great, but isn't always so rosy in practice. That's because using a VPN grants the company behind it extensive access to your data at the same time that it hides the stream from everyone else. Depending on a VPN's logging practices and privacy policy, it may be willing and able to turn your browsing history over to law enforcement or could even sell customer data to marketing services and ad networks. Even worse, malware masquerading as a VPN could do real damage by concealing malicious activity on your device behind a veneer of security protection.
"These days, many people know what a VPN is and what they can do with one," says Kevin Du, a computer security researcher at Syracuse University and an IEEE senior member. "Not many people know what a bad or flawed VPN can do to their devices, because they don’t know how VPN works."
Trust Falls
VPNs have been around for years, as have their attending trust issues. But while previously VPN enthusiasts were mostly a core base of desktop users, the mobile boom and app-store accessibility have created an explosion in mobile VPN offerings. And while some are genuinely looking to offer security and privacy services, plenty do more harm than good.
In a recent in-depth analysis of 283 mobile VPNs on the Google Play store by Australia's Commonwealth Scientific and Industrial Research Organization, researchers found significant privacy and security limitations in a majority of the services. Eighteen percent of the mobile VPNs tested created private network "tunnels" for traffic to move through but didn't encrypt them at all, exposing user traffic to eavesdropping or man-in-the-middle attacks. Put another way, almost a fifth of the apps in the sample didn't offer the level of security that's basically the entire point of VPNs.
Meanwhile, 84 percent of the apps didn't properly encrypt traffic between sites using the most recent version of the Internet Protocol. And though two-thirds of the apps in the study specifically marketed themselves as enhancing user privacy, 75 percent of those used third-party data-tracking libraries, and 82 percent asked for user permission to access additional personal data on devices like text messages.
