A recent paper, “An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps” takes an in-depth look at over 250 VPNs for Android that use the Android VPN permission – including VyprVPN. The paper examines VPN apps available in the Google Play store, and analyzes the actual privacy and security of these apps by looking at features such as “malware presence, third-party libraries embedding and traffic manipulation.” Several news outlets, including Ars Technica, ran reports on the study.
The paper makes valid points regarding the deceptive marketing and broken functionality of many VPN providers. We have previously explored these ideas in our “You Are the Product” feature. Additionally, the paper supports the idea that using third parties results in less security and more vulnerabilities for the end-user. This is great to read, as we have always asserted that third parties decrease security and prided ourselves on the fact that VyprVPN owns and runs 100% of our network without third parties.
While we agree with this and some aspects of the paper, the paper also makes some additional conclusions that we can clarify.
Owning Your Own Infrastructure
The paper corroborates the belief that most providers don’t run their own secure equipment and network, and instead rely on cloud and dedicated hosting providers. In the paper, VyprVPN’s infrastructure looks completely different from other providers, and that’s because we own and operate our own servers and network. As a result, we have greater control over the privacy of our customer traffic.
The Definition of Android VPN
The paper assumes that anything that uses the Android VPN functionality is a VPN. While the functionality was originally intended for customer VPN implementations, it’s actually a generic packet analyzer. Android’s VPN permissions are required to implement malware filters, web proxies, or simple traffic monitors, none of which are VPNs.
Claims in the Ars Technica Article
The paper states that 18% of the apps “didn’t encrypt traffic at all,” leaving users vulnerable on Wi-Fi hotspots and unsecured network. VyprVPN’s, VPN for Android implements strong encryption using OpenVPN and our proprietary Chameleon technology, which defeats VPN blocking. When enabled, our app provides no option to send traffic without encryption. VyprVPN is highly-effective in protecting users on public Wi-Fi networks and all unsecured networks.
The study also mentions that 84% of the apps “leaked traffic based on the next-generation IPv6 internet protocol, and 66 percent don’t stop the spilling of domain name system-related data, again leaving that data vulnerable to monitoring or manipulation.” We develop our apps in-house so that we can deliver users with better control over security. Golden Frog’s apps take active efforts to prevent IPv6 leakage, something that is difficult for providers that merely provide simple configuration wrappers.
Two other claims in the article were that some apps injecting code into users’ web traffic, and several apps installing digital certificates causing apps to “intercept and decrypt transport layer security traffic.” VyprVPN does not inject code into web traffic, nor install digital certificates such as the ones mentioned.
The paper classifies Golden Frog’s networks as “residential” networks. The paper cites using residential networks as a concern because some VPN providers route their traffic through end-user home networks. In this case, random Internet users can view and manipulate the VPN user’s traffic. To classify a network as residential, the paper used networks that register themselves as end-user networks with Spamhaus, a listing of spam networks. As VyprVPN is an end-user service, Golden Frog registers its infrastructure with Spamhaus as an end-user network so that mail servers know not to expect our customers to act like mail servers. As a result, the paper’s concerns do not apply to VyprVPN.
In general, the paper confirms that VyprVPN offers exceptional online privacy. The concerns it raises about Android VPN apps mirror many of the VPN myths that we have debunked for years. This paper brings additional transparency to the VPN industry, and highlights why the choice of a VPN provider with a reputation for focusing on privacy, like VyprVPN, is important.