Google has asked security researchers at NCC Group to conduct a security assessment of its new Google One VPN, and the results have now been released.
Security ratings like these can serve as a useful tool in understanding the relative security of the many different VPN services on the market.
The Google One VPN apps for Android and iOS, as well as the new Windows and macOS VPN apps, stood up well to a security source code review by the NCC Group, but although the company found 24 issues of varying importance, some of which it now fixes are feast.
Among the 24 issues found, the most notable was that the Windows Google One VPN app needed to run with administrator privileges: Google fixed this so it runs with user privileges.
Also: The best VPNs for small and personal businesses
Google’s VPN doesn’t allow users to select an IP address from different regions to bypass geo-restrictions. However, it aims to protect a user’s internet traffic from ISPs when using a public hotspot. It masks a user’s IP address by passing it through a Google-powered VPN tunnel. Last month, Google launched the Google One VPN apps for macOS and Windows. The VPN service is available as part of the $10 monthly plan with 2TB of online storage.
The NCC Group evaluated Google One’s VPN apps and services in the context of the security and privacy objectives outlined in Google’s white paper, such as “Activity”; and “A Google-class VPN that offers added security and privacy for online connectivity without undue performance degradation.”
The NCC Group also reviewed the product’s security design and architecture, as well as the VPN library code.
The company concluded that the design of Google’s VPN service allows it to “implement user authentication and authorization for the service in a way that isolates the user’s Google identity from the VPN session network flows.” It added: “Using blind cryptographic signing during authorization is the traffic anonymization strategy that protects the user’s identity from a direct connection with the VPN session token.”
However, the NCC Group – which in its analysis treated Google as a potential adversary in a privileged position – identified “several techniques that could be deployed to compromise user anonymity should Google decide to, or be forced to, actively challenge its claims.” to violate”.
For example, Google could manipulate the client apps to change the authentication and authorization flow. Google could also correlate a device’s source IP and connection times to establish a link between identity and tunneled VPN traffic. However, it noted that neither technique was considered part of the product strategy or implementation.
Also: what are the best mobile VPNs and will they slow down your connection?
NCC Group also found two medium-risk issues with the login process for the Windows and macOS apps that could allow local malware to deny availability or obtain OAuth tokens after a successful login.
A minor flaw with the iOS app was that Google disabled Apple’s app transport security feature to enforce secure connections on the internet. Google also fixed an issue in the iOS app where the app’s storage leaks the GAIA ID in log files.
Also, the Android, Windows, and macOS apps lacked certificate pinning, which limits an app’s secure connection to specific certificates. NCC believes it makes sense to implement certificate pinning to mitigate the risk of interception if the CA is compromised.
The NCC Group reviewed the Google One Android VPN app last year and found one high-severity bug, four medium-severity bugs, and six low-severity bugs.