Android versions 4.3 and 4.4 have been found to contain a critical flaw in the implementation of the VPN service, which could allow hackers to transmit data transferred within the network to third-party servers.
According to the latest security advisory from Computer Emergency Response Team of India (CERT-In), the flaw which is present in Jelly Bean and KitKat flavours of the Android operating system could allow hackers to bypass security configurations of a VPN and transmit the data shared within the network to a third-party server.
The advisory also mentions that unencrypted communication within such networks can be intercepted by hackers, effectively defeating the purpose of using a VPN. Israeli security researchers were the first to find the vulnerability while testing Samsungs KNOX enterprise security suite for Android on the Galaxy S4, but later found that it was present on all devices running the mentioned Android versions.
Samsung had provided a statement with regards to the revelation saying, "Android development practices encourage (apps to use) SSL/TLS. Where thats not possible Android provides built-in VPN. Use of SSL/TLS would have prevented an attack based on a user-installed local application, (which exploited VPN flaw)." However, as the users themselves cannot guarantee whether apps are using sufficient security measures, it would be wise to install trusted apps and exercise caution till Google releases a fix in the near future.
Source: Times of India | Image via PocketNow