A new Android flaw has been discovered that affects the virtual private network of devices running on Jelly Bean or KitKat. The Computer Emergency Response Team of India (CERT-In) said in an advisory released to users of its network “A critical flaw has been reported in Android’s (virtual private network) VPN implementation, affecting Android version 4.3 and 4.4 which could allow an attacker to bypass active VPN configuration to redirect secure VPN communications to a third party server or disclose or hijack unencrypted communications.”
CERT-In is the agency responsible for securing the Indian Internet domain keeping hackers and phishers at bay. The agency advises users to install updates from original equipment manufacturers. Since there may already be a lot of applications circulating that exploits this weakness, its best to install apps only from trusted sources such as the Google Play store. Those who don’t have any anti-virus application running on their device may want to consider getting one. Users are also advised not to visit untrusted URLs or click on links coming from emails or SMS.
VPN is a technology that allows a person to connect to a private network using an encrypted tunnel over the public Internet Most companies and organizations utilize this tool to allow employees to securely connect to enterprise networks from remote locations. Several devices can be used to connect to a VPN such as desktops, laptops, smartphones, and tablets.
The CERT-In advisory further says that “It is noted that not all applications are encrypting their network communication. Still there is a possibility that attacker could possibly capture sensitive information from the affected device in plain text like email addresses, IMEI number, SMSes, installed applications.”
Security experts say that this flaw will allow data that is written in plain text to be captured and viewed. Android apps that directly connect to a server using SSL will not be affected by this flaw.
Just last month Ben Gurion University also reported a similar VPN related flaw. The university announced that “As part of our ongoing mobile security research we have uncovered a network vulnerability on Android devices which has serious implications for users using VPN. This vulnerability enables malicious apps to bypass active VPN configuration (no ROOT permissions required) and redirect secure data communications to a different network address. These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure.”