The VPN apps that aren't what they seem
Study reveals 18 popular VPN apps share infrastructure and hide their relationships.
According to a recent peer-reviewed study, 18 of the 100 most-downloaded VPN apps on Google Play Store are secretly tied to three families.
The study, published in the journal of the Privacy Enhancing Technologies Symposium (PETS), found the apps failed to disclose behind-the-scenes relationships, including the use of shared infrastructure.
All in the family
The researchers identified three distinct groups operating multiple apps under different names. Group A consists of 8 different apps that were found to be shared between three providers, containing practically identical code. This suggests they're from the same organisation.
On its part, the 8 apps in Group B essentially use the same server IP addresses. These only support the Shadowsocks service, which uses symmetric encryption with hardcoded passwords.
Finally, Group C has two apps with similar code. Crucially, both include a shared, proprietary protocol implementation that tunnels through port 53, which is commonly only used for DNS.
China's great firewall
I first chanced upon this report on a consumer tech publication, which alluded to an insidious Chinese link to the apps.
On reading the white paper, however, it's clear that these VPNs aren't really VPNs but are designed to help users circumvent censorship by the Chinese government via the Great Firewall of China.
For instance, the Shadowsocks protocol was created for just this purpose. It attempts to masquerade VPN traffic as ordinary HTTPS traffic, with encryption tacked on.
Choose your VPN wisely
Still, the report is a sobering reminder to choose VPN providers wisely. By using a VPN, we're choosing to transfer risks entirely to the provider to both protect our privacy and implement their VPN app correctly.
I probably wouldn't want to use a VPN app that shares infrastructure or where its business relationships are highly opaque. When multiple "competing" VPN apps are actually the same service with different branding, users can't make informed decisions about who they're trusting with their data.
The irony here is striking: tools designed to bypass censorship and protect privacy are themselves hiding their true nature from users. If a VPN provider isn't transparent about its ownership and infrastructure, what else might it be hiding?
Do you use a VPN? And more importantly, do you know who's really behind it?
The white paper can be accessed here.
