The payload is obfuscated: This is the good news – the information that’s transferred between the user’s app and the backend is encrypted.Sending sensitive data over HTTP is highly unsecured, and this should be forbidden by the app developer. Connections using plain HTTP isn’t forbidden: HTTP traffic is unencrypted, so anyone sniffing will be able to read your communications.In testing SuperVPN, we discovered the following: Once we had this information, we replaced the real SuperVPN server data with our own server data. After decrypting and decoding this data, we found it contained sensitive server information, its certificates, and the credentials that the VPN server needs for authentication. This payload held encrypted and encoded data, and the backend infrastructure then responded with a similar payload.Īfter more digging, we found that the payload actually contained the key needed to decrypt the information. On one of these hosts, we discovered that a package (payload) was being sent from the app via unsecured HTTP.
When we analyzed the app, we discovered that SuperVPN connects with multiple hosts. If you can imagine all the people you know who have Tinder, that’s roughly the same number of people who have SuperVPN installed on their phone. Just for comparison, SuperVPN currently has roughly the same number of installs as Tinder and AliExpress. In January 2019, it had only 50 million installs. According to Google Play, the app has been downloaded at least 100 million times. When you search for the “vpn” keyword in Play store’s search bar, you’ll see SuperVPN in the top 5 results. SuperVPN’s critical vulnerability affecting 100 million users However, users with SuperVPN installed are currently still susceptible and should delete the app immediately. Unfortunately, this proved impossible, and on April 7, Google removed the SuperVPN app from Google Play.
#Purevpn app google play Patch
We worked with Google to contact SuperSoftTech so that they could address the issue and hopefully patch it. On March 19, the Google team confirmed to us that the vulnerability was still present in the latest version of Super VPN: GPSRP allows security analysts to disclose vulnerabilities for apps with more than 100 million installs. We disclosed the finding through the Google Play Security Reward Program (GPSRP) because we have been unable to contact SuperVPN’s developer, SuperSoftTech. Recently, Google confirmed to us that this vulnerability still exists. Our research has shown that it has critical vulnerabilities that allow for man-in-the-middle (MITM) attacks that can easily allow hackers to intercept communications between the user and the provider, and even redirect users to a hacker’s malicious server instead of the real VPN server.
#Purevpn app google play android
Unfortunately, it’s also an amazingly dangerous free VPN Android app.
It has more than 100 million installs on the Play store, having started from only 10,000 installs nearly four years ago. SuperVPN Free VPN Client is an amazingly successful free VPN Android app. On April 7, it was finally removed from the Google Play store.
Google has confirmed that SuperVPN, which has 100 million installs, has a vulnerability that allows for a critical MITM attack.
0 kommentar(er)
