Malwarebytes, the cybersecurity company, is reminding us that “not all VPNs are created equal.”
A VPN, or virtual private network, encrypts a user’s web traffic and masks the IP address of his device. People use VPNs to sidestep geographic restrictions on visiting a website, to generally protect their privacy online, or to avoid being persecuted by an autocratic government.
But according to a report cited by Malwarebytes, Hidden Links: Analyzing Secret Families of VPN Apps, many VPN apps available through the Google Play Store are insecure, possibly allowing others to view the user’s supposedly hidden traffic. The authors also note that some of the Android VPN apps “appear to be owned and operated by a Chinese company and have gone to great lengths to hide this fact from their 700+ million combined user bases.”
The researchers examined the most popular Android VPN apps that are not based in the United States and “scanned websites, business filings, and the VPN apps’ source code to try and find links between them,” says Malwarebytes. “Using a combination of data points found in these resources, they found common software libraries, technical infrastructure, and business details that allowed them to group the VPN apps into three families.”
Beware Qihoo 360 and Shadowsocks
The apps in these different “families” have different kinds of security flaws. Many use the Shadowsocks protocol, which, according to the “Hidden Links” report, “has no built-in asymmetric cryptography and requires the insecure use of hard-coded passwords….”
This way of handling passwords “may increase one’s vulnerability to network censorship if not carefully implemented…. Hardcoded Shadowsocks passwords counterproductively increase the exposure of users’ communications to eavesdroppers.” In other words, in such a case the web surfer is worse off than if he had not used a VPN. “Shadowsocks was designed to be censorship-resistant, not private. Therefore, VPN providers need to be up front with their users about the risks if they use Shadowsocks with only symmetric cryptography.”
Some developers may hide their identity because they’re bad actors, others because they face the same risks from governments determined to surveil and censor—and harass and detain—that their customers face.
“While increased requirements for identity verification may help to keep users safe, such requirements must be balanced with the rights of developers to anonymously distribute software,” the authors advise. But “anonymity is distinct from deception, and software distributors [like the Google Play Store] could respect authors’ anonymity while still taking action against those who have misrepresented their corporate associations.”
PLA connection
By the way, the cloaked company that turns out to be behind many of these insecure non-U.S. Android apps, Qihoo 360, is not just a major Chinese cybersecurity firm. It’s a firm that “the United States government sanctioned on June 2020 for its connection to the People’s Liberation Army.”
