Forgot your password?
typodupeerror
Android Encryption Security

VPN Encryption Vulnerability On Android 77

Posted by Soulskill
from the avoid-those-malicious-apps dept.
An anonymous reader writes "Cyber security labs at Ben Gurion University have uncovered a network vulnerability on Android devices which has serious implications for users of VPNs. This vulnerability enables malicious apps to bypass active VPN configuration (no root permissions required) and redirect secure data communications to a different network address. These communications are captured in clear text (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure."
This discussion has been archived. No new comments can be posted.

VPN Encryption Vulnerability On Android

Comments Filter:
  • by nurb432 (527695) on Saturday January 18, 2014 @11:50AM (#45998497) Homepage Journal

    Better blacklist windows, apple, blackberry, desktops, laptops.... Everything is vulnerable. Even your users. Its how you mitigate the ongoing risk that separates the men from the boys.

    If you are competent enough to use MDM on your mobile devices then your end users wouldn't be installing non-approved apps anyway so they would be at minimal risk of exposure to this. If you are not, then you are just a clueless blow-hard moron and don't deserve to be in your position..

  • by Kwyj1b0 (2757125) on Saturday January 18, 2014 @11:56AM (#45998537)

    TFA says that you need to run a malicious app that intentionally exploits that system. They tested multiple android devices (and I'm assuming different versions of the OS). Also, does this work with every VPN service (like Cisco AnyConnect), or only the native system?

    Would it be possible to test if any existing Play store app accidentally/intentionally triggers this exploit? I (like many Android users) don't pirate apps (even though my phone is rooted), but if the popular Play store apps are compromised, that would be a big deal for me.

  • by DJRumpy (1345787) on Saturday January 18, 2014 @12:39PM (#45998835)

    Although a bit flippant, the parent does have a point. Most older Android devices will never see a security update or fix for this issue. It is what it is, and unless that changes, a valid response it to require a minimum level of OS on the device. This is one area where Apple excels and Android does not.

  • by 0123456 (636235) on Saturday January 18, 2014 @03:41PM (#46000053)

    I am going to need to update our companies VPN black list to include all android devices. End of story. Problem solution.

    Why would you let them on your corporate network in the first place? Who knows what random fluffy kitty screensaver apps users have installed that are happily stealing all your stuff and sending it to the Chinese government or Russian mafia?

If a 6600 used paper tape instead of core memory, it would use up tape at about 30 miles/second. -- Grishman, Assembly Language Programming

Working...