November 16th, 2018
Major security vulnerability has been found in Android’s VPN implementation affecting Android 4.3 Jelly Bean and the latest Android 4.4 Kit Kat (Which affects approximately 62.5% of all Android devices). The issue found will allow hackers to bypass the active VPN configuration and redirect the traffic to third party servers which can then capture the traffic and with this, sensitive information like emails, passwords, usernames or anything that is being send through the network can be seen, the Computer Emergency Response Team of India (CERT-In) reports.
A VPN is used to create a private connection between computers over a public network, this is mainly used by Organisations that want to create a secure connection from the different devices such as smartphones, tablets, laptops and desktop computers to enterprise networks.
Usually the data send through a VPN is encrypted but the agency made the following statement:
Still there is a possibility that attacker could possibly capture sensitive information from the affected device in plain text (non-encrypted data) like email addresses, IMEI number, SMSes, installed applications
This is of course taking for granted that all the websites and any Android applications you use have a secure connection, if only one of them fails it could lead to a major leak of personal information. Apps which directly connecting to the server using SSL will not be affected neither will websites using HTTPS.