Google asked security researchers at NCC Group to conduct a security assessment of its new VPN by Google One, and the results have now been published.
Security assessments like these are a useful tool when trying to understand the relative security of the many different VPN services on the market.
The Google One VPN apps for Android and iOS and its new Windows and macOS VPN apps stood up well to a security source code review by NCC Group, but although the firm did find 24 issues of varying degrees of importance, some of which have now been fixed.
Among the 24 issues found, the most notable was that the Windows Google One VPN app was required to execute with admin privileges: Google has addressed this so that it is executed with user privileges.
Google’s VPN doesn’t let users select an IP address from different regions to bypass geo-blocking. It does however aim to protect a user’s internet traffic from ISPs and when using a public hotspot. It masks their IP address by routing it through a Google-operated VPN tunnel. Last month Google launched the Google One VPN apps for macOS and Windows. The VPN service is available as part of the $10 a month plan with 2TB of online storage.
NCC Group assessed the Google One VPN apps and service in the context of the security and privacy goals detailed in Google’s whitepaper, such as: “With VPN by Google One, we will never use the VPN connection to track, log, or sell your online activity”; and “A Google-grade VPN that provides additional security and privacy to online connectivity without undue performance sacrifices.”
NCC Group also reviewed the security design and architecture of the product and the VPN library’s code.
The company concluded that the design of Google’s VPN service allows it “implement user authentication and authorization for the service in a way that isolates the user’s Google identity from the VPN session network flows.” It added: “The use of cryptographic blind signing during authorization is the traffic anonymization strategy, protecting user’s identity from direct association with the VPN session token.”
However, NCC Group — which treated Google as a potential adversary in a privileged position in its analysis — did identify “several techniques that could be employed to compromise user anonymity should Google choose or be compelled to actively violate its claims”.
Google could, for example manipulate the client apps to modify the authentication and authorization flow. Google could also correlate a device’s source IP and connection times to establish a connection between an identity and tunneled VPN traffic. However, it noted that it didn’t observe any of the techniques to be part of the product’s strategy or implementation.
NCC Group also found two medium risk problems with the login process for the Windows and macOS apps, which could allow local malware deny availability or obtain OAuth token after a successful login.
A minor blemish on the iOS app was that Google disabled Apple’s App Transport Security feature for enforcing secure connections on the internet. Google also fixed an issue in the iOS app where the app’s storage leaks the GAIA ID in log files.
Also, the Android, Windows and macOS apps lacked certificate pinning, which restrict an app’s secure connection to particular certificates. NCC considers it worthwhile to implement certificate pinning to mitigate the risk of interception if the Certificate Authority is compromise.
NCC Group reviewed the Google One Android VPN app last year and found one high-severity flaw, four medium-severity flaws, and six low severity flaws.