The OpenVPN android app from Private Internet Access has now been brought into line with its excellent desktop clients, offering most of the features to be found in their proprietary Windows and OSX software. Missing are IPv6 protection (probably because IPv6 is poorly supported by carriers and many Android devices) and DNS leak protection, but everything else is present and correct.
The app now sports various port connection and forwarding options, and an internet kill switch which we love (particularly when used in combination with the excellent uTorrent for Android app!)
This is the symmetric cipher algorithm used to encrypt and decrypt all data. Private Internet Access utilizes perfect forward secrecy (PFS) with ephemeral (i.e. temporary) shared key exchange for maximum security.
Previously PIA used 128-bit Blowfish encryption, but AES-128 is faster, so while Blowfish is still available as an option, there is little point in choosing it. For more security (but with a slight speed hit), you can opt for AES-256.
Interestingly, there is also the option of choosing no encryption. This provides maximum performance, and still hides your IP address (in much the same way that a SOCKS proxy does).
Data authentication helps to protect you against active man-in-the-middle attacks by ensuring the integrity and authentication of sent data. SHA-1 (Secure Hash Algorithm-1) produces a 160-bit hash value, which is probably more than sufficient for most purposes, although flaws have been found in it.
The SHA-256 fixes these mathematical weaknesses and is considered to be a strong cryptographic hash function, but it is a somewhat odd choice on PIA’s part, as the SHA-2 (of which SHA-256 is a part) set of standards was designed by the NSA!
Users not concerned about active attacks can safely turn off Data Authentication altogether.
This is the encryption used during the process of negotiation, and verifies that you are connecting to a genuine PIA server. Here you have the choice between RSA Ephemeral Diffie-Hellman exchange (RSA-2048, RSA-3072 and RSA-4096) and ECC (ECC-256k1, ECC-256r1 and ECC-521) Ephemeral Elliptic curve Diffie-Hellman exchange.
Which type of exchange you should choose is not an easy question to answer, as it known RSA-1024 has been cracked (back in 2010) and it is entirely possible that the NSA can crack stronger versions of it, which is why PIA offer ECC (Eliptical Curve Cryptography) instead. However, evidence points to this being backdoored by the NSA, you pays your money and you takes your chances…
As PIA CEO Andrew Lee told TorrentFreak when it introduced the charges into its desktop client in September,
‘To be honest, at this point after the NSA revelations, we do not know exactly who has exactly what capability. In a crazy scenario, it could be possible that RSA is completely broken and ECC is the only viable option. Of course, we do not believe this, but again, we want to give people the choice.’
We have gone into some detail here about what the different settings mean, but you don’t really need to know anything about encryption to improve your security – you just have to implement PIA’s recommended settings:
- Recommended – AES-128 / SHA1 / RSA-2048
- All Speed No Safety — None / None / ECC-256k1
- Maximum Protection — AES-256 / SHA256 / RSA-4096
- Risky Business — AES-128 / None / RSA-2048
The obvious question is how much these settings affect your connection speeds in practice, so we ran some tests to find out. We connected using our 20 meg UK broadband to PIA’s servers in the Netherlands, as this seemed a good ‘typical use’ scenario
The results are more or less as we might expect, except that ‘Maximum Protection’ produced better download speeds than ‘Recommended’ (but Ping times were much worse). We would probably agree with PIA and go with its Recommended settings for the best performance / protection balance, although it is clear that is you are of a paranoid disposition then you will not lose much by going the whole hog and turning encryption on to the max.
With port forwarding, an internet kill switch, and advanced encryption options, the Private Internet Access app is the most sophisticated VPN software available for Android (or any mobile platform) that we are aware of. We still worry about PIA’s vulnerability to NSA interference thanks to it being a US based company, and would like to see a move away from NIST certified ciphers altogether (using for example Carmellia), but we are nevertheless impressed.