VPN App With 10,000,000+ Downloads Exposes Users' VPN Logins and Servers in Android Logs
When choosing a VPN solution, it’s vitally important that none of your data or privacy information is exposed. People all over the world use VPNs to help protect their identity when they connect to the open internet. In some countries this can be the key factor on which VPN you decide to use.
We found that the OpenVPN Connect on Android devices logs the VPN username, VPN config file and VPN IP address. Any Android application running Android 4.1 or below with READ_LOGS permission can read any other applications logs including OpenVPN Connect. At time of writing that accounts for just 1.8% of all active Android devices on Google Play. Sounds like it’s not really an issue? Unfortunately that’s not the end of the story, as Android system applications have access to the logs on any Android device.
User apps are installed via Google Play. System apps come pre-installed on your phone. Typically these apps fall into three groups or categories: Google apps, manufacturer apps and finally carrier apps. There are also privileged and unprivileged system apps. Privileged system apps can have READ_LOGS permissions, unprivileged system apps cannot. For example on a Samsung S9, there are 196 privileged system apps and 21 of these have READ_LOGS permission. On a Google Pixel XL, there are 71 privileged system apps and 4 have the READ_LOGS permission. On the older Samsung S5 there are 112 privileged system apps and 20 have READ_LOGS permission. While most of these apps fall into the three groups above, one of the privileged system apps on the Samsung S5 is the Amazon_Appstore apk; a third party app. The OpenVPN Connect application will inadvertently leak VPN user data to these privileged system applications with READ_LOGS permissions in the Android Manifest.
We can use adb, an Android command-line tool, to dump a log of system messages by running the command adb logcat. The output includes stack traces, error messages and information from the Android developer.
While running adb logcat and connecting to the OpenVPN application under the OpenVPNService (24312) the username can be found in the log output file.
Username ohmyusernameislogged, IP address 18.104.22.168, and config vpnbook-us-1-tcp443 failed login attempt
Username vpnbook, IP address 22.214.171.124 , and config vpnbook-us-1-tcp443 valid login attempt
This issue was recreated on more than one android device using different configuration files as well as using the device emulator Genymotion.
Please note that this information was disclosed privately to OpenVPN. They did provide the developer point of contact but it is now more than 30 days since the information was revealed. At time of writing the latest version of OpenVPN Connect is 3.0.7. which was released after the 30 day responsible disclosure period. Our call to action is for all Android OpenVPN Connect users to check the list of privileged system apps on their devices with READ_LOGS permissions. Then make sure you are comfortable with who might be harvesting your VPN information.