Majority of Android VPNs can’t be trusted to make users more secure | Ars Technica

Majority of Android VPNs can’t be trusted to make users more secure | Ars Technica:

"According to a research paper that analyzed the source-code and network behavior of 283 VPN apps for Android:

 18 percent didn't encrypt traffic at all, a failure that left users wide open to man-in-the-middle attacks when connected to Wi-Fi hotspots or other types of unsecured networks

16 percent injected code into users' Web traffic to accomplish a variety of objectives, such as image transcoding, which is often intended to make graphic files load more quickly.

Two of the apps injected JavaScript code that delivered ads and tracked user behavior. JavaScript is a powerful programming language that can easily be used maliciously

84 percent leaked traffic based on the next-generation IPv6 internet protocol, and 66 percent don't stop the spilling of domain name system-related data, again leaving that data vulnerable to monitoring or manipulation

Of the 67 percent of VPN products that specifically listed enhanced privacy as a benefit, 75 percent of them used third-party tracking libraries to monitor users' online activities.

82 percent required user permissions to sensitive resources such as user accounts and text messages

38 percent contained code that was classified as malicious by VirusTotal, a Google-owned service that aggregates the scanning capabilities of more than 100 antivirus tools

Four of the apps installed digital certificates that caused the apps to intercept and decrypt transport layer security traffic sent between the phones and encrypted websites" 'via Blog this'