VpnHood! is a virtual private network service designed to circumvent deep packet inspection (a type of data processing that inspects, in detail, data being sent over a network and may result in blocking or rerouting). It works by redirecting Transmission Control Protocol packets made by a user to a locally-running SOCKS proxy client, which forwards them to the VpnHood! server. The server then makes the connection on the user’s behalf. It aims to be undetectable because it looks like the user is browsing an ordinary HTTPS website.
Through OTF’s Red Team Lab, Include Security conducted a security assessment of VpnHood!’s Android mobile application, Windows client, and VPN server (v2.9.370). The effort spanned from June 12, 2023 to July 19, 2023, using a Standard Grey Box assessment methodology. A gray-box tester partially knows the app’s internal structure, which includes access to the documentation of internal data structures as well as the algorithms used. This allows for the design of targeted test scenarios.
Include Security performed static code analysis (analysis without actually running the application) and dynamic testing (testing and evaluating a program while it’s running) of all three components (mobile app, Windows client, and VPN server).
Findings
Include Security’s audit uncovered four vulnerabilities—one deemed “medium risk” and the others deemed “informational findings.”
Medium Risk findings could potentially be used with other techniques to compromise accounts, data, or performance. Informational findings pose little-to-no security exposure to compromise or loss of data.
#1 Potential Code Tampering: The VpnHood! application’s executable was signed with a v1 Android Package Kit (APK) signature at the time of assessment (Medium Risk).
Why is this an issue?
Using a v1 signature makes the application prone to the “Janus vulnerability” on devices running Android 7 or below. The Janus vulnerability allows attackers to smuggle malicious code into the APK without breaking the signature.
The existence of this vulnerability means that attackers could trick users into installing a malicious attacker-controlled APK which matches the v1 APK signature of the legitimate Android application. As a result, a transparent update would be possible without warnings appearing on Android devices, effectively taking over the existing application and all of its data.
Recommended Fix:
Increase the minimum supported SDK level to at least 24 (Android 7) to ensure that this vulnerability cannot be exploited on devices running older Android versions. In addition, future production builds should be signed only with v2 or greater APK signatures.
#2 Potentially Insecure Data Storage: Android Application Data Backup is Enabled
The VpnHood! Android application allowed users to make backups of its application data during the assessment (Informational Finding).
Why is this an issue?
An attacker with physical access to the device could perform a manual backup of the VpnHood! application’s data. This could potentially lead to disclosure of security-relevant user data if the application data contained items such as cleartext passwords or personally identifiable information (PII).
The assessment team found that no security-relevant user data was stored by the VpnHood! application, however, future iterations could introduce such data.
Recommended Fix:
Android supports automatic or manual backups of application data by default, so set the android:allowBackup option to “false” in the AndroidManifest.xml file. This would prevent security-relevant user data disclosures in future iterations of the application.
#3 Potentially Insecure Communications: Android Cleartext Traffic is Enabled
The VpnHood! application allowed cleartext (unencrypted) traffic during the assessment, as the android:usesCleartextTraffic option was enabled in the AndroidManifest.xml file.
Why is this an issue?
If the Android OS and third-party libraries do not enforce encrypted communications, such as Transport Layer Security (TLS), then the user of the application is at risk of:
- Data disclosure due to data being sent in cleartext from the application to the backend server or another endpoint
- Man-in-the-Middle (MITM) attacks, as there is no confidentiality, authenticity, and protection against data tampering
The assessment team did not detect cleartext communications by the VpnHood! application while performing a dynamic analysis.
Recommended Fix:
Set the android:usesCleartextTraffic option to “false.” If the application requires cleartext communications then the Network Security Configuration feature (android:networkSecurityConfig) can be used to configure exceptions for certain domains, limiting the impact of allowing cleartext traffic in the application.
Setting the android:usesCleartextTraffic option to “false” does not guarantee that third-party libraries will honor it, but follows security best practices for Android development.
#4 Potential Disabling of Security Features: Android Jailbreak or Rooted Device Detection Not Implemented
The VpnHood! application did not implement any detection mechanism to determine if a device was jailbroken or rooted. Devices that are jailbroken or rooted might have certain security features disabled which are used to protect the integrity of the device and applications running on it (Informational Finding).
Why is this an issue?
An attacker using the application on a jailbroken or rooted device could tamper with the application or reverse-engineer it. A malicious application running on the jailbroken or rooted device could also tamper or interfere with other applications on the device.
Recommended Fix:
Implement multiple jailbreak detection techniques to prevent information disclosure.
Remediation
VpnHood! Is not planning to remediate the issues found, as they deem them to be acceptable risks. The executive summary of the report (linked below) contains VpnHood!’s comments regarding each one.
Executive Summary of Report with VpnHood!’s comments