[guardian-dev] vuln: malicious Android apps can bypass active VPN configuration

Pranesh Prakash pranesh at cis-india.org
Sun Jan 19 16:38:35 EST 2014

Nathan of Guardian <nathan at guardianproject.info> [2014-01-19 15:26:54 -0500]:
> Hash: SHA1
> On 01/19/2014 03:05 PM, Pranesh Prakash wrote:
> > Nathan of Guardian <nathan at guardianproject.info> [2014-01-18
> > 14:25:53 -0500]:
> >>> Also that whole feature is broken in 4.4!
> > How is that?  I'm on 4.4.2 and am using "OpenVPN for Android"
> > (which uses the Android 4.0+'s VPNService API), and it seems to be
> > working fine.  Is there any reason to prefer OpenVPN Settings?
> Just referring to this issue. perhaps it is solved on 4.4.2 now?
> https://code.google.com/p/android/issues/detail?id=62714

According to the BlueVPN's Google Play page[1], this hasn't been solved in 4.4.2

However, most of the complaints on that bug seem to be about BlueVPN.  The majority of OpenVPN for Android's users seem not to have any issues[2] and I'm guessing at least some of them are running 4.4.x (though there is one complaint about it not working since the "Android upgrade").  And just by the by, both OpenVPN for Android and OpenVPN Settings are FOSS, and both are available from FDroid.

I've tested it only with RiseUp's VPN service.

 [1]: https://play.google.com/store/apps/details?id=com.bluexvpn
 [2]: https://play.google.com/store/apps/details?id=de.blinkt.openvpn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140119/f1279349/attachment.pgp>

More information about the Guardian-dev mailing list