Great news! Recently one application [CyberGhost VPN] we talked earlier got a major update. New version 6.0 released for devices running iOS 9+, old version 5.1.0 supported iOS 8.2 or later. Developers made many visible changes at least. They added four different tabs describing your needs:

--WiFi PROTECTION --SURF ANONYMOUSLY --SECURED STREAMING --SAVE MONEY

Also, you can remove your old application profiles now, because this app has an internal feature to manage iOS configuration to add profiles. You don't need any download it semi-automatic and install it marking as a trusted profile. Below you can see 2 profiles in the settings section, where CyberGhost VPN - L2TP "Romania" is old profile

When we was examining it today, we expect to found security improvements, however have to spoiler nothing new. Did we mentioned above you don't need to download application profile anymore? Well, yes, it's true, but we hope you understand that your profile doesn't magically appear on your device. It means, the profile downloads automatically and still can be substituted in traffic. Like it was before this update released, when application starts it sends your credentials over internet to validate your license. It's bad in a way developers doing it. Each time you start your app first or after major update (when your credentials wiped), you have a trial credentials to perform a test. We still have no idea why developers don't let their application validate the customer license via trial account and use it to each time when you want to reconnect. Also, we found only new items protected in the same way as whole application. These data types are application configs (your application settings) stored locally and transferred to analytics server. Every data types mentioned here have a 4 system DIT points and 6 system DAR points and 0 in case of own protection neither DIT nor DAR.

Rest of information is completely same as we published earlier, so we just duplicate it below once again.

First time you run this app, you will have to assign your license information. After you authorized as a valid customer, you need to download configuration file known as profile (iOS - profile) that stores information for VPN mechanism implemented by Apple into your mobile devices iPhone & iPad. Same happens each time you need to change this profile. Why you may need to change this profile? If you want to choose another specific server located in specific country or just any server in specific country you will have to download this profile again. Here we go. Despite of protection you granted from developers, you still can't be assure that you data is not leaked for eavesdroppers. Is it typical vulnerability? No, you might have to do something to let it happens, particularly you need to have a fake SSL certificate stored on your device. However, there're many way how this certificate can be installed on your device, including the case when you approve by yourself and when trusted certificate already pre-installed on your device was stolen by hackers and can't be trusted anymore. Also, you data can be leaked from your jailbroken device and your backups from PC/Mac. All these cases are based on software freely available over internet for free or funny prices $100-5000. Eventually, there're many hidden techniques aren't available for public we didn't know even that could be silently applied to your device offline or while you're connected to the network to get your data. Also, it's important to know if developers implemented only vendor mechanisms offered by Apple or did something own. Pay attention to paragraph above, now you don't need to install certificate manually, applications does it automatically but nothing else was changed. First pic includes info about data items combined into groups and best protected items found.

Second pic includes info about data items separately from group and worst protected items found.

You can see the average values isn't high enough. Talking about data mentioned on the screenshots in terms of explanations given above, this application doesn't provide customers with own protection mechanisms neither for locally stored or transferred data we mentioned above. The average protection level for locally stored data (DAR) equals 6 that means developer implemented only mechanisms offered by Apple if it requires. In this case, all data stored in sandbox and this is good protection, because it means your data can be extracted from backups according to wide available tools. However, as we mentioned above, if you have jailbroken iOS device it decreases level down to 0. Also, keep in mind there're lot of non-public solutions how to get your data. The average protection level for transferred data (DIT) equals 4 that means developer didn't pay enough attention to protect your data from eavesdroppers and fake certificates. It's usual case for many developers but here it's really important to protection the initial connection & re-connection on profile changing any time it happens. Why is it? If anyone stole you tokens & app password or license data (these data stored and transferred without much protection) the most funny and simplest attack is removing all linked devices in your account that prevents you from connection to VPN servers (in other words, you get errors instead of protection). Since your profiles downloaded automatically we added protection points for this, because now your profile protected (while downloading) with additional developer protection , not only by browser protecting as it was in previous build.

Good news, no worst protected data type were found; bad news, no best protected data types were found in terms of protection. Finally, keep in mind, that the latest app version and build was examined on the last iOS and if you use older iOS version < 9 you might have found that app doesn't secure enough and data might be accessed without actions from you side (= the average level for transferred data would be equal 2). Also, older iOS versions < 8.3 don't provide enough protection for app data locally stored to allow access app data (except system like keychain) without jailbreak access.

#CyberGhostVPN #iOS #AppStore #privacymeter #privacymeteronline #leakage #appdata