The landscape of virtual private networks (VPNs) is evolving, and recent research into the 100 most-downloaded VPN applications has uncovered significant security concerns. The study specifically focused on the non-US VPNs, categorizing them into three main groups based on shared libraries, infrastructure, and business affiliations.
Security Flaws in Popular VPN Families
Family A included eight applications, notably those associated with companies like Innovative Connecting, Autumn Breeze, and Lemon Clove. This group was identified with critical security weaknesses, such as a hard-coded Shadowsocks key, which poses a risk as it allows potential decryption of user traffic. Even more concerning, these applications reportedly engaged in undisclosed location data collection by requesting and uploading zip codes from IP address-related databases such as ip-api.com. An investigative effort by the Tech Transparency Project unveiled connections between three VPN providers and the Chinese cybersecurity firm, Qihoo 360.
Moving on to Family B, encompassing six providers including well-known names like Global VPN, XY VPN, and Super Z VPN, researchers noted these services shared VPN servers and also relied on hard-coded Shadowsocks passwords. The report underscores that while Shadowsocks is adept at circumventing Chinese internet censorship, it does not offer user anonymity, making it a weak spot for privacy-seeking users.
The third category, Family C, involved VPN providers behind applications such as Fast Potato VPN and X-VPN. This group displayed vulnerabilities that left them exposed to blind in-path attacks, a method where unauthorized users can manipulate data being transferred over the same network.
Strategies and Consequences
The findings suggest that some of these VPN providers may manage multiple brands to mitigate reputational risks and share infrastructure in a cost-effective manner. This common practice could obscure user perception, disguising the potential threats lurking within each individual app.
The study highlights a wider concern: many VPN services can be deceptive or insecure, providing avenues for server operators or technically adept individuals to intercept and read traffic. This is especially true if they are able to reverse-engineer app passwords.
The issues unearthed in this report call for action from app-store operators, who face challenges in efficiently identifying related VPN providers due to the scale and complexity of their operations. The time-consuming nature of such endeavors underscores the necessity for users to independently research and verify the security credentials of VPN services before use. Ultimately, selecting a trusted VPN provider becomes paramount for users wishing to safeguard their online privacy and data integrity effectively.
