Ikram et al. (2017) An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf Many sorts of sins are detailed therein. Some are probably relevant to VPNs generally. HideMyAss and Hotspot Shield look bad. I see no mention of AirVPN, BolehVPN, IVPN, Mullvad or PIA.
But I see that AirVPN and Mullvad a while ago where included in a list of services that allow IPV6 leaks and/or DNS hijacking. http://www.eecs.qmul.ac.uk/~tysong/files/PETS15.pdf That was a little disappointing to learn. [Edit: I see AirVPN responded to that at the time the study was published. https://airvpn.org/topic/14231-ipv6-leakage-and-dns-hijacking/]
I do think that it should not be surprising so many Android VPN apps are of poor quality or out and out malware. When I see most VPN apps and services, along with their ads, they look completely suspicious to me. And it seems obvious that there would be no better way to attack people and trick them into giving up their privacy than by pitching them a handy app that supposedly protects their privacy.
Yes I agree, that's why I decided to stay away from them. http://www.zdnet.com/article/vpns-are-not-as-private-as-the-name-suggests-csiro/
The other thing that is dumb/tricky about this Android apps is that they are not simply VPN services, per se, like AirVPN, iVPN, etc. That is, it's not like it's a service that you connect to with built in VPN software in Android or something like that. Instead, they provide a handy app. But the app is essentially a closed source piece of software running on your device with very low level privileges. This is an extreme no no, from a privacy point of view. Who knows what that app is doing? It's really the app, not the VPN service per say, that creates the possibility to control and track one's traffic in all kinds of nasty ways. Whereas with other services, like AirVPN, etc., you can use well known, open source software, like openVPN, to make the connection. Yes they could still track you from the server and not provide the privacy promised. But (I believe) they couldn't perform man in the middle attacks and other malicious things like that, because they need the software (app) running natively on your device to do those things. Obviously most people don't understand these distinctions, but it is what should make one skeptical to begin with.
I suspect that it's impossible to use VPNs securely on smartphones. Some apps get enough privileges to bypass VPN tunnels. On linux, nothing without root rights can do that. Except Network Manager But in smartphones, it's far more likely that stuff will leak. If you want to use VPNs or Tor securely, you must use a separate router.
I pretty much agree, the best option is OpenVPN connect with .ovpn profiles from a reputable VPN provider. That will deal with malware but there is still the problem of leaks and bypasses. Android is a risky platform and Apps have to be checked out well before installing. I spent an evening going though apps when I got a new Android phone and only a handful had acceptable permissions. I normally have data disabled and just use it as a phone and the data is only turned on when I tether the phone to use it as an emergency internet connection.
You could almost break this thread into two separate sections. The largest section would be for folks using their Androids BUT not having ROOT! Inserting perspective; who would run their computer without full and absolute Admin and yet expect to be safe? Answer is obviously nobody that had any knowledge of such things. Why then do we think/assume that Android, which is a linux brother, is any safer? It isn't. Another obvious answer. Trying to maintain control on a device where you lack absolute ROOT/Admin is a waste of time, really it is! The second section of the thread split could be for full rooted phones only. Now here we can discuss and debate the removal of permissions, etc... from any app. WE would have control, and given the inclination to succeed the device can be securely managed.
Unfortunately, with Android and IOS, rooting brings its own issues. I don't see them as secure or completely trustworthy rooted or not. It's not just the structure of the OS itself which has a lot of undesirable features that are not privacy friendly at all, the ecosystem that develops and maintains it is also problematic.
Yeah, I'm straying from the topic a bit, but phones are a nightmare. I tell everybody I know that they are foolish to use their phone with any kind of banking app. I also think it's a bad idea to use phones for email (where the email account contains any kind of important personal information). Sadly more and more even institutions that should place security at the forefront, like banks, want you to use your phone. I also think the phone as the default device for two factor authentication is one of the dumbest ideas ever; it's the thing someone is mostly likely to lose or have stolen; and if you have access to someone's phone, you may well have access to accounts (email, banks, etc.) that use the very same device for two factor identification on password recovery, etc.; talk about giving away the keys to the kingdom.
We haven't developed our own mobile apps and we currently rely on open source clients such as Arne Schwabe's OpenVPN for Android or for iOS the official OpenVPN app (OpenVPN Connect for iOS). We actually notice that the Android app leaks IPv6 when used with our VPN and are currently working to plug this since there is no easy way to disable IPv6 without rooting. Still testing OpenVPN Connect. You're right that phones are a nightmare and I agree that rooting introduces a lot of other potential security risks. For example, you have to re-root for Android disk encryption to work if I remember correctly.
