Is Snap VPN leaking your personal information?
How I discovered the leak caused by Snap VPN.
It was a rainy Tuesday night when I suddenly saw a POST request over HTTP containing my personal e-mail address, mobile phone number, mac address, IMEI and IMSI flying over my network. And yes, Snap VPN was the cause of it.
The application
First off, what is Snap VPN? Snap VPN is an free android application with more than 10 million downloads that gives you the ability to tunnel your internet traffic to different servers all over the world with encryption. Most people use VPN services in order to protect themself or to bypass firewalls. It is therefore important that a VPN service keeps your identity hidden.
The discovery
I love experimenting with new tools. I recently discovered Bettercap (awesome tool btw) and decided to try it out. I was just scanning my own network without any extra options.
bettercap -L -I wlan1
A few minutes into scanning I saw the POST request over HTTP I talked about earlier, the picture is below.

I was really upset because it contained a lot of very sensitive information. Not only was my e-mail address and mobile phone number send but also technically identifying information like the MAC address, IMEI and IMSI of my device.
When I looked at the data I quickly noticed the app_package_name and was able to determine the application that send the data. So I picked my phone and first thing I saw was a notification of Snap VPN that occured at the exact same time as the POST request that got send. When I opened the application another exact same request got send to a different server. So upon getting a notification and upon opening the application a request gets send. I kept repeating the same steps and kept getting the same request getting send to random servers. Thats when I knew that Snap VPN was sending this data.
Quickly after I discovered this I got in touch with x0rz. I’ve been following him on Twitter for quite a while now because of his interesting research and tweets that keep me up to date, be sure to check him out! I did not know for sure whether what I just discovered was something worth sharing. Thats why I got in contact with him, since he has much more experience in infosec than me. After I shared my story with x0rz and discussed the matter, he tweeted my discovery to his network in order to raise attention for this problem.
Conclusion
So in short, Snap VPN is sending critical identifying information unencrypted over the network just before you want to connect to the network to avoid just that! Anyone on a public wifi network could sniff that request which is ironic because you probably only use the application on public wifi networks. The funny thing is, thats not even the worst thing. Why do they even need this information? They are violating the privacy of the users by structurally collecting unnecessary identifying information, while they claim to be ‘secure’ and keep you ‘anonymous’. I searched on their website and in the privacy policy of the application but could not find any explanation for the data collection. Besides that, I also tried to contact the company behind the application about this matter but got no response. I already deleted the application, maybe you should too.
