Security researchers report VPN issue in Android 4.32014-03-21 | Comebuy News
Employees of the Ben Gurion University's Cyber Security Labs have discovered a bug in the implementation of virtual private networks (VPN) in Android 4.3. The vulnerability allows unencrypted traffic that is transmitted through an active VPN connection, to intercept.
According to the researchers, a malicious app may go to the VPN connection on the jelly-bean devices and forward any communication to a different network address. In a video, they show how such an application intercepts the subject line of an E-Mail, although a VPN connection was established. The collected data to exist then in plain text, even though they actually should be protected through the VPN tunnel, according to the researchers.
It is a malicious application don't even need root privileges, the VPN traffic to intercept in the blog entry. Redirection successes in the background and let the user in the belief that his data are "encrypted and secure".
End of December, the researchers reported a gap in Samsung's security platform Knox. Here it should be possible by using a malicious program, despite encryption to read E-Mails and to record data communication.
Last week, Google and Samsung denied the data gap. According to them, researchers used a legitimate network feature of Android in an unintended way. Samsung also advised users to use the VPN capability built into Android for any unencrypted data communication.
The researchers informed Google own according to the incorrect implementation of the VPN. You have received but still no answer. Also they pointed out that the exploit on Android-4.3 devices of from different manufacturers works. Via SSL/TLS encrypted traffic could be also intercepted but not decrypted.
[with material from Liam Tung, ZDNet.com]
Tip: Are you an expert on Android? Check your knowledge - with 15 questions on silicon.de