Counter Spyware Solutions by Numbers Station

The number of man-in-the-middle (MitM) attacks our users are seeing when using VPN providers is concerning. In our iOS security app for individual users, there is a free man-in-the-middle MitM attack check for a number of popular domains. We routinely receive emails to our support team about MitM warnings users are seeing in the app. Some are explained by expected behaviour such as public WiFi access points redirecting to a login page, and once logged in, the warning disappears. For other ones though, when we write back explaining they should try disabling their VPN, run the test again and see what happens, sure enough, every time it only happens when the VPN is enabled. Even more concerning, often the warning the user is seeing is only for https://t.co/ZXvzqdSmez, the other test domains all come back as clean, so not a glitch but a very specific focus on a high value domain. This of course does not impact the Gmail mobile app (except as a denial of service), since it is certificate pinned, but would impact web access to Gmail. It might not be the VPN provider themselves, could be someone upstream from them doing it too. In a future release of the app the UI is going to bring up a share results option if a MitM is detected *AND* a VPN is enabled which will allow the user to select their email app and email us quickly the results. This way we can get better coverage of how often this is happening. The email would contain the test domain(s) impacted, the public IP of the VPN provider’s exit node and info on which certificates were presented for the failed connection. From there we can figure out the VPN provider and see if only specific exit nodes of the provider are impacted or all of them. Right now the results do not leave the app so we only know when someone takes the time to collect all of that and email us. Using email still so the user is able to see everything that is shared before hitting send.