FYI: Official NordVPN Android app transmits personal data to third parties

[OpenSourcerer 1432]

A german IT security blogger recently discovered that NordVPN's official android app transmits personally identifiable information to NordVPN and a few third parties.

 

The checked version of their app is v3.9.8 which seems a few versions behind the current branch but still fairly recent.

The blogger discovered that a user's Google mail address along with the advertising ID and a bit of other info are sent to Iterable, AppsFlyer and Tune along with some Google services like Analytics - all seemingly without the user's consent and even without mentioning it in the app's ToS.

 

Of course customer support has been asked as well. Their answer was not satisfactory:

 

Hello there! We use these tools to monitor aggregated data to improve UI/UX and determine the efficiency of our marketing campaigns. They are not related to the user’s activity when using our VPN service. In case you have further questions, do not hesitate to drop us a DM!

 

Everyone interested in some of the HTTP POSTs discovered can look at them in the article linked above. The article itself is German-language, but it doesn't contain more info than this, only a bit of the writer's opinion which I share: It's very questionable that a "no-log" or even "privacy-centered" VPN provider like NordVPN is bold enough to state "marketing reasons" as their justification to track users of their Android app. Even worse that this tracking is performed by third parties who will most likely use this data in cross-referencing...

 

Try to avoid NordVPN. Searching for "NordVPN" in this forum alone will yield more than enough reason. One in three newly created threads is about them.

[LZ1 671]

Hello!

 

That's certainly interesting. Thank you for taking the time to post it here and making it available in English .

 

I completely agree that the choice of justification is very poor in this regard.

 

Moved topic to the proper forum.

[Staff 9950]

Hello,

 

we wish and we need to distance ourselves from such a behavior which can even imply a criminal infringement in the EU.

 

Events like the one discovered by Mike Kuketz may cast a general climate of distrust in a delicate sector which needs first and foremost customers' confidence.

 

Nowadays VPN "market" is polluted by shady services. Sometimes you can't even know the owners or the running company behind a service.  We are confident that fiscal, legal and technical transparency of AirVPN, as well as high standards both on consumers' protection and privacy fields since the end of 2010, will allow our customers and  non-customers to discern honest professionals from anybody and anything else.

 

We have always and only released free and open source software for public scrutiny and we have always supported a variety of privacy enhancing services in fundamental ways. For example, today we contribute to run about 7% of all the existing Tor exit nodes in the world. https://airvpn.org/mission

 

Kind regards

AirVPN Staff

[JSD 6]

Hello,

 

it might be interesting for you that Mr. Kuketz had a look at some other Android Apps from some VPN services. He found some trackers there, too, In one case (Avast SecureLine VPN) he says he found 14 trackers:

 

 

• AppsFlyer

• Facebook Ads

• Facebook Analytics

• Facebook Login

• Facebook Places

• Facebook Share

• Google Ads

• Google Analytics

• Google CrashLytics

• Google DoubleClick

• Google Firebase Analytics

• Inmobi

• Moat

• Twitter MoPub

 

Immediately after the start, Avast SeureLine vPN's app is contacting Facebook, according to Mr. Kuketz, and is sending some information including a Google advertising ID, the type of the device and the display resolution among other information.

 

At least, Avast mentions all the third parties contactd by the app in its Privacy Policy. However, according to Mr. Kuketz, this was not true in many other cases: He said there were no hints that the app would send some information to multiple third parties.

 

In some cases, Kuketz said he could not find out which pieces of information were sent, because they were encrypted.

 

Below are the relevant links. (Regrettably, it seems that Mr. Kuketz’ findings have only been published in German so far, but you may get an impression with the help of a good translation program).

 

https://www.kuketz-blog.de/cyberghost-vpn-android-app-verseucht-mit-trackern/

 

https://www.kuketz-blog.de/vyprvpn-no-logging-versprechen-wertlos/

 

https://www.kuketz-blog.de/avast-secureline-vpn-14-tracker-in-einer-app/

 

https://www.kuketz-blog.de/avg-secure-vpn-weitere-vpn-app-mit-haufenweise-trackern/

 

 

This state of affairs is really disquieting.

[OpenSourcerer 1432]

It would be more interesting to have insights into the apps of all the providers who regularly place themselves on the no-log VPN provider list of TorrentFreak for example. I only recognize VyprVPN, the rest are more or less known for it.

 

Nevertheless, it seems we've found a silver mine of information on it. Let's see what he digs up next and consider donating a small amount of money for his work.

 

Sent via Tapatalk.