- A recent investigation found that some popular VPN apps were secretly sending customer data to Sensor Tower, an analytics firm.
- The developers tricked users into installing root certificates to bypass the limitation set by the Google and Apple stores, allowing full access to users’ devices.
- Google and Apple have removed the apps from their stores, but current users are also asked to uninstall them immediately.
- Subscribe to the Gate Checked newsletter for daily travel and aviation updates.
It’s easy to want to jump on free Wi-Fi networks (whether it be at the airport, train station, hotel or restaurant) while traveling as you may not always have the option of an affordable roaming plan. Using open networks puts your devices at more risk as hackers could try to intercept data transmissions between yourself and the requested websites or services.
As a result, there has been a big push for the use of virtual private networks (VPN) as it creates a virtual pipeline between your device and whatever website or service you are trying to access, protecting all your details including passwords, credit card numbers, and e-mail addresses. The information is routed securely through the VPN’s server, making it extremely harder for hackers to make sense of whatever information is being sent or received.
The problem with this is that you the still have a weak link at the VPN’s end. In theory, the expectation is that VPN providers operate with the best interest of its customers in mind, by implementing policies such as not logging customer data, providing extremely secure proxy servers, hiding the users’ origin IP addresses and providing a kill switch should their service be interrupted for whatever reason.
Unfortunately not all providers operate this way, as pointed out by a recent BuzzFeed News investigation. They discovered that a number of popular VPN and ad blocking apps have been secretly sending data associated with millions of users, to tech analytics platform Sensor Tower. Four of the highlighted apps include:
- Adblock Focus (Android and iOS)
- Free and Unlimited VPN (Android)
- Luna VPN (Android and iOS)
- Mobile Data (Android)
What was most disturbing was that when a user installed these apps, they were further required to install a root certificate from an external website which allowed the app developer to gain root access to phone or tablet. This essentially gave the developers full access to users’ devices, as they could access stored files, installed apps, and view incoming and outgoing data, among other top level privileges.
Apps on the Play and App Stores are not allowed to have this kind of access, which is why the developers implemented the work around, exposing the user’s data and storage habits to the developer.
The developers also cleverly disguised the requirement, promising additional features such as no YouTube ads.
Sensor Tower provides mobile analytical data including information about usage, store trends, advertising spending and much more.
Google and Apple have since removed the apps from their respective stores and are investigating the claims made by Buzzfeed.
As suggested by LifeHacker, these apps should be removed immediately if they are on your phone or tablet. They also recommend checking permissions on other VPN or ad blocking apps because even “normal” permissions may be too intrusive. For instance, access to your microphone or camera are definitely not required for VPNs to be functional.