Upcoming iPhone, Android Caution: Avoid Installing These Applications
The recent advisory for iPhone and Android users suggests millions of apps might be eliminated from devices and countless more might not be installed initially. This warning originates directly from the U.S. government, which could potentially make users take it more seriously this time.
While the reported security threats associated with SMS and RCS messaging have garnered significant attention in the FBI and CISA alerts, they also urge users to regularly update their device firmware and utilize secure browsing, DNS masking, and password managers when available.
However, an additional, less-famed cautionary statement hasn't gained much attention but still poses potential risks. "Avoid using a personal virtual private network," the U.S. cyber defense agency cautions. According to them, personal VPNs may transfer risks from your internet service provider (ISP) to the VPN provider, consequently increasing the attack surface.
This advice is not new; cybersecurity experts have long stressed the same concern. Last month, Kaspersky warned about a substantial increase in the installation of harmful, free VPN apps, rising by 2.5 times globally compared to Q2. These apps were either malware or tools that could be misused by malicious actors.
Moreover, a June test conducted by specialized websites on the "100 most popular free Android VPN apps available in the Google Play Store, with 2.5 billion worldwide installs collectively," revealed several concerns:
- Over 10% of the apps suffered encryption failures.
- Nearly 90% of the apps had some form of leakage.
- Almost 70% of the apps requested at least one privacy-risking permission.
- Approximately one-third of the apps misused permission requests.
- Almost three-quarters of the apps shared personal data with third parties.
- Nearly 20% of the apps were marked as malware by antivirus scanners.
CISA itself acknowledges that "many free and commercial VPN providers have questionable security and privacy policies." While their recommendation is to avoid these apps unless "your organization requires a VPN client to access its data," I would propose a more moderate approach.
VPNs have their uses, especially in specific scenarios such as utilizing public Wi-Fi in completely open or untrusted environments, particularly abroad, or when one aims to conceal their location from the websites they visit or spy on web traffic.
It is through the use of VPNs that users behind digital barriers in countries like Russia, China, and Iran can access overseas websites and communication platforms. This is why the removal of VPNs from Apple's Russian App Store sparked controversy.
Once again, here are my recommended guidelines for VPN usage:
- Install VPNs from Play Store or App Store only.
- Utilize paid VPNs with an open subscription for a reasonable duration, never with masked in-app purchases.
- Opt for VPNs from well-known developers, those that can be easily researched on popular websites, and avoid those based in China.
- Ensure that Play Protect is enabled, and never disable or pause Play Protect to install a VPN that Google flags as risky.
- When Android 15's new live threat detection flags an app, take the required action.
As Kaspersky points out, "Users tend to believe that if they find a VPN app in an official store like Google Play, it is safe and can be used to access content that is unavailable in their location. And they believe it is even better if this VPN service is free!" However, this often turns into a trap, considering the current statistics displaying an increase in malicious VPN app encounters. Let us hope that the US government's warning will finally persuade users to avoid such risks.
Following the warnings from the FBI and CISA about potential threats in SMS and RCS messaging, they also advise users to regularly update device firmware and use secure browsing methods. However, less attention has been given to a caution from the U.S. cyber defense agency: they advise against using personal VPNs due to increased risks being transferred to VPN providers.
Recent reports, such as Kaspersky's warning about a rise in harmful, free VPN apps, highlight serious concerns with many free and commercial VPN providers. A test of popular Android VPN apps revealed numerous issues with encryption, privacy-risking permissions, and personal data sharing with third parties.
In light of these concerns, it's crucial to be cautious when using VPNs. My recommended guidelines include installing VPNs from trusted sources, using paid services instead of free apps, and avoiding VPNs from developers based in China. It's also important to keep Google Play Protect enabled and to be wary of any flagged risky apps.
The recent U.S. government warning about potential app removals and installation restrictions can serve as a reminder for users to be extra careful when using VPNs, as their use can provide additional protection but also increase potential risks if not used wisely.