Consumer protection agency urges users to shop around with security in mind

The Federal Trade Commission (FTC) has issued new advice to consumers who are looking to install mobile VPN apps after a recent report sparked data breach concerns.

Guidelines published by the US government department include advice on which VPNs to use, particularly when accessing a public WiFi network.

A blog post by Andrea Arias of the FTC’s Division of Privacy and Identity Protection warned consumers that although VPNs can help to shield privacy, they can also spark security concerns.

These concerns include malicious apps injecting malware into a device, selling location data and a lack of encryption.

Developers can also share personal data with third parties to optimize adverts or analyze how people are using a particular website.

Arias also warned of how some VPN apps do not actually use encryption.

The report read: “Some VPN apps use protocols that do not encrypt your traffic, or encrypt only some of your traffic.”

It added: “If an app requests particularly sensitive permissions (reading text messages, for example), consider whether the permission makes sense given the app’s purpose and whether you trust the app developer with that access.”

At risk

The FTC’s advice comes after a January 2017 report found that a number of VPN apps for Android were littered with malware, spyware, and code injection.

Researchers studied 283 apps and found that poor security protection and malicious activity were present in many of them.

The team, from the University of New South Wales in Australia, UC Berkeley, and other organizations, revealed that 82% of the apps studied requested permission to access sensitive data.

A further 38% contained some form of malware and three of the apps intercepted banking, messaging and social network traffic.

And in August 2017, VPN provider AnchorFree was slammed for allegedly injecting JavaScript codes into browsers and sharing users’ data with third parties.

The company’s Hotspot Shield VPN app was accused of exposing data to leaks or outside attacks by digital rights group The Center for Democracy & Technology (CDT).

The CDT also claimed the app gathers location data to optimize adverts and collects users’ IP addresses.

A statement from the CDT read: “The VPN has been found to be actively injecting JavaScript codes using iframes for advertising and tracking purposes.”

It added: “They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks.”

VPNs can be used by employees to access a work network remotely, or to access location-based streaming services from abroad.

But many privacy experts argue that free or cheap VPN apps don’t do enough, and have urged users to set up their own.