An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps

Authors:
Muhammad Ikram

UNSW and Data61, CSIRO, Sydney, Australia

UNSW and Data61, CSIRO, Sydney, Australia
View Profile

,
Narseo Vallina-Rodriguez

ICSI, Berkeley, CA, USA

ICSI, Berkeley, CA, USA
View Profile

,
Suranga Seneviratne

Data61, CSIRO, Sydney, Australia

Data61, CSIRO, Sydney, Australia
View Profile

,
Mohamed Ali Kaafar

Data61, CSIRO, Sydney, Australia

Data61, CSIRO, Sydney, Australia
View Profile

,
Vern Paxson

ICSI and UC Berkeley, Berkeley, CA, USA

ICSI and UC Berkeley, Berkeley, CA, USA
View Profile

IMC '16: Proceedings of the 2016 Internet Measurement ConferenceNovember 2016Pages 349–364https://doi.org/10.1145/2987443.2987471

Published:14 November 2016Publication History

IMC '16: Proceedings of the 2016 Internet Measurement Conference

Pages 349–364

ABSTRACT

Millions of users worldwide resort to mobile VPN clients to either circumvent censorship or to access geo-blocked content, and more generally for privacy and security purposes. In practice, however, users have little if any guarantees about the corresponding security and privacy settings, and perhaps no practical knowledge about the entities accessing their mobile traffic.

In this paper we provide a first comprehensive analysis of 283 Android apps that use the Android VPN permission, which we extracted from a corpus of more than 1.4 million apps on the Google Play store. We perform a number of passive and active measurements designed to investigate a wide range of security and privacy features and to study the behavior of each VPN-based app. Our analysis includes investigation of possible malware presence, third-party library embedding, and traffic manipulation, as well as gauging user perception of the security and privacy of such apps. Our experiments reveal several instances of VPN apps that expose users to serious privacy and security vulnerabilities, such as use of insecure VPN tunneling protocols, as well as IPv6 and DNS traffic leakage. We also report on a number of apps actively performing TLS interception. Of particular concern are instances of apps that inject JavaScript programs for tracking, advertising, and for redirecting e-commerce traffic to external partners.

References

Alexa Top 500 Websites. http://www.alexa.com/topsites.Google Scholar
Android Permissions. http://developer.android.com/guide/topics/security/permissions.html.Google Scholar
Application Fundamentals. http://developer.android.com/guide/components/fundamentals.html.Google Scholar
Archie VPN. https://play.google.com/store/apps/details?id=com.lausny.archievpnfree.go.Google Scholar
Cisco AnyConnect. https://play.google.com/store/apps/details?id=com.cisco.anyconnect.vpn.android.avf.Google Scholar
CM Data Manager - Speed Test. https://play.google.com/store/apps/details?id=com.cmcm.flowmonitor.Google Scholar
CrossVpn. https://play.google.com/store/apps/details?id=com.goodyes.vpn.cn.Google Scholar
Cyberghost - free vpn & proxy. https://play.google.com/store/apps/details?id=de.mobileconcepts.cyberghost.Google Scholar
Dash Net Accelerated VPN . https://play.google.com/store/apps/details?id=com.actmobile.dashnet.Google Scholar
Dash VPN | Dash Office - Speed Test. http://dashoffice.com/dash-vpn/.Google Scholar
DNSet. https://play.google.com/store/apps/details?id=com.dnset.Google Scholar
DroidVPN - Android VPN. https://play.google.com/store/apps/details?id=com.aed.droidvpn.Google Scholar
Dr.Web Security Space. https://play.google.com/store/apps/details?id=com.drweb.pro.Google Scholar
EasyOvpn - Plugin for OpenVPN. https://play.google.com/store/apps/details?id=com.easyovpn.easyovpn.Google Scholar
EasyVpn. https://play.google.com/store/apps/details?id=yujia.easyvpn.Google Scholar
F-Secure Freedome Anti-Tracking Feature Explained. https://community.f-secure.com/t5/F-Secure/F-Secure-Freedome-Anti-Tracking/ta-p/52153.Google Scholar
Fast Secure Payment Service. https://play.google.com/store/apps/details?id=com.lausny.ocvpnaio.pay.Google Scholar
FlashVPN Free VPN Proxy. https://play.google.com/store/apps/details?id=net.flashsoft.flashvpn.activity.Google Scholar
Free VPN Proxy by Betternet. https://play.google.com/store/apps/details?id=com.freevpnintouch.Google Scholar
Good. Mobile Device Management (MDM). https://www1.good.com/secure-mobility-solution/mobile-device-management.html.Google Scholar
Google Play Unofficial Python API. https://github.com/egirault/googleplay-api.Google Scholar
HatVPN. https://play.google.com/store/apps/details?id=mobi.hatvpn.Google Scholar
HideMyAss! Pro VPN for Android. https://play.google.com/store/apps/details?id=com.hidemyass.hidemyassprovpn.Google Scholar
Hola Free VPN Proxy. https://play.google.com/store/apps/details?id=org.hola.Google Scholar
Hotspot Shield Advertising. http://www.anchorfree.com/advertise.php.Google Scholar
Hotspot Shield Free VPN Proxy. https://play.google.com/store/apps/details?id=hotspotshield.android.vpn.Google Scholar
ip-shield VPN. https://play.google.com/store/apps/details?id=com.ipshield.app.Google Scholar
Junos Pulse. https://play.google.com/store/apps/details?id=net.juniper.junos.pulse.android&hl=en.Google Scholar
Knox Standard SDK. https://seap.samsung.com/sdk/knox-standard-android.Google Scholar
Mobile Security & Antivirus. https://play.google.com/store/apps/details?id=com.trendmicro.tmmspersonal.Google Scholar
NEOPARD. http://https://play.google.com/store/apps/details?id=com.exalinks.neopard/.Google Scholar
Neopard Privacy Policy. http://neopard-mobile.com/en/about/privacy/.Google Scholar
NeoRouter VPN Mesh. https://play.google.com/store/apps/details?id=com.neorouter.androidmesh.Google Scholar
NoRoot Firewall. https://play.google.com/store/apps/details?id=app.greyshirts.firewall.Google Scholar
OkVpn. https://play.google.com/store/apps/details?id=yujia.okvpn.Google Scholar
One Click VPN. https://play.google.com/store/apps/details?id=com.lausny.ocvpn.Google Scholar
Open Gate. https://play.google.com/store/apps/details?id=com.btzsoft.vpnclient.Google Scholar
Orbot: Proxy with Tor. https://play.google.com/store/apps/details?id=org.torproject.android.Google Scholar
Packet Capture. https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture.Google Scholar
pcap-parser (0.5.8). https://pypi.python.org/pypi/pcap-parser/0.5.8.Google Scholar
Private WiFi. https://play.google.com/store/apps/details?id=com.privatewifi.pwf.hybrid.Google Scholar
Qihoo 360. https://play.google.com/store/apps/details?id=com.qihoo360.mobilesafe.Google Scholar
Raccon APK Downloader. http://www.onyxbits.de/raccoon.Google Scholar
Rocket VPN - Internet Freedom. https://play.google.com/store/apps/details?id=com.liquidum.rocketvpn.Google Scholar
Samsung KNOX. Partnering with Samsung. https://www.samsungknox.com/en/partners.Google Scholar
Security with HTTPS and SSL. http://developer.android.com/training/articles/security-ssl.html.Google Scholar
Selendroid: Selenium for Android. http://www.selendroid.io.Google Scholar
sFly Network Booster, Adblocker. https://play.google.com/store/apps/details?id=com.cdnren.sfly.Google Scholar
Spamhaus PBL. http://www.spamhaus.org/pbl/.Google Scholar
Spotflux VPN. https://play.google.com/store/apps/details?id=com.spotflux.android.Google Scholar
StrongVPN OpenVPN Client. https://play.google.com/store/apps/details?id=com.strongvpn.Google Scholar
SuperVPN. https://play.google.com/store/apps/details?id=com.SuperVPN_Q0102_21.Google Scholar
SurfEasy Secure Android VPN. https://play.google.com/store/apps/details?id=com.surfeasy.Google Scholar
tigerVPN - Privacy Defender. https://play.google.com/store/apps/details?id=com.tigeratwork.tigervpn.Google Scholar
Tigervpns Free VPN and Proxy. https://play.google.com/store/apps/details?id=com.tigervpns.android.Google Scholar
TorGuard VPN. https://play.google.com/store/apps/details?id=net.torguard.openvpn.client.Google Scholar
VirusTotal. https://www.virustotal.com.Google Scholar
VPN Free. https://play.google.com/store/apps/details?id=com.couxin.GroxNetwork.Google Scholar
VPN Gate. https://play.google.com/store/apps/details?id=com.lausny.vpngate.Google Scholar
VPN Service Documentation. http://developer.android.com/reference/android/net/VpnService.html.Google Scholar
VPNSecure OpenVPN VPN Proxy. https://play.google.com/store/apps/details?id=com.vpnsecure.pty.ltd.Google Scholar
VPNGoogle Scholar
TORGoogle Scholar
Cloud VPN Globus Pro! https://play.google.com/store/apps/details?id=com.globus.vpn.Google Scholar
VyprVPN Free VPN for Privacy. https://play.google.com/store/apps/details?id=com.goldenfrog.vyprvpn.app.Google Scholar
WiFi Protector VPN. https://play.google.com/store/apps/details?id=com.wifiprotector.android.Google Scholar
M. Allman. Comments on bufferbloat. SIGCOMM CCR, 2013. Google ScholarDigital Library
Android developer documentation. KeyChain. https://developer.android.com/reference/android/security/KeyChain.html#createInstallIntent().Google Scholar
J. Appelbaum, M. Ray, I. Finder, and K. Koscher. vpwns: Virtual Pwned Networks. In USENIX FOCI, 2012.Google Scholar
D. Arp, M. Spreitzenbarth, H. Gascon, and K. Rieck. Drebin: Effective and Explainable Detection of Android Malware in Your Pocket. In NDSS, 2014.Google ScholarCross Ref
K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: Analyzing the Android Permission Specification. In ACM CCS, 2012. Google ScholarDigital Library
T. Bl\"asing, L. Batyuk, A.-D. Schmidt, S. A. Camtepe, and S. Albayrak. An Android Application Sandbox System for Suspicious Software Detection. In IEEE MALWARE, 2010.Google Scholar
A. Bose, X. Hu, K. G. Shin, and T. Park. Behavioral Detection of Malware on Mobile Handsets. In ACM MobiSys, 2008. Google ScholarDigital Library
I. Castro, J. C. Cardona, S. Gorinsky, and P. Francois. Remote Peering: More Peering Without Internet Flattening. In ACM CoNEXT, 2014. Google ScholarDigital Library
T. Chen, I. Ullah, M. A. Kaafar, and R. Boreli. Information Leakage Through Mobile Analytics Services. In ACM MobiSys, 2014. Google ScholarDigital Library
P. H. Chia, Y. Yamamoto, and N. Asokan. Is this App Safe?: A Large Scale Study on Application Permissions and Risk Signals. In ACM WWW, 2012. Google ScholarDigital Library
D. Crawford. PPTP vs L2TP vs OpenVPN vs SSTP vs IKEv2. https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs-sstp-vs-ikev2/.Google Scholar
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information Flow Tracking System for Real-Time Privacy Monitoring on Smartphones. CACM, 2014. Google ScholarDigital Library
S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith. Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In ACM CCS, 2012. Google ScholarDigital Library
A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In ACM CCS, 2011. Google ScholarDigital Library
A. Gorla, I. Tavecchia, F. Gross, and A. Zeller. Checking App Behavior Against App Descriptions. In ICSE, 2014. Google ScholarDigital Library
C. Haschek. Where are free proxies free? https://blog.haschek.at/post/fd9bc.Google Scholar
P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These Aren't the Droids You're Looking for: Retrofitting Android to Protect Data from Imperious Applications. In ACM CCS, 2011. Google ScholarDigital Library
M. Ikram, H. J. Asghar, M. A. Kaafar, B. Krishnamurthy, and A. Mahanti. Towards Seamless Tracking-Free Web: Improved Detection of Trackers via One-class Learning. In PETs, 2017.Google Scholar
J. Jeon, K. K. Micinski, J. A. Vaughan, A. Fogel, N. Reddy, J. S. Foster, and T. Millstein. Dr. Android and Mr. Hide: Fine-grained Permissions in Android Applications. In ACM SPSM, 2012. Google ScholarDigital Library
A. Kantchelian, M. C. Tschantz, S. Afroz, B. Miller, V. Shankar, R. Bachwani, A. D. Joseph, and J. D. Tygar. Better Malware Ground Truth: Techniques for Weighting Anti-Virus Vendor Labels. In AISec, 2015. Google ScholarDigital Library
A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and E. Kirda. Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks. In DIMVA, 2015. Google ScholarDigital Library
S. Khattak, D. Fifield, S. Afroz, M. Javed, S. Sundaresan, V. Paxson, S. J. Murdoch, and D. McCoy. Do You See What I See? Differential Treatment of Anonymous Users. In NDSS, 2016.Google Scholar
S. Khattak, M. Javed, S. A. Khayam, Z. A. Uzmi, and V. Paxson. A Look at the Consequences of Internet Censorship Through an ISP Lens. In ACM IMC, 2014. Google ScholarDigital Library
H. Kim, J. Smith, and K. G. Shin. Detecting Energy-Greedy Anomalies and Mobile Malware Variants. In ACM MobiSys, 2008. Google ScholarDigital Library
C. Kreibich, N. Weaver, B. Nechaev, and V. Paxson. Netalyzr: Illuminating the Edge Network. In ACM IMC, 2010. Google ScholarDigital Library
A. Le, J. Varmarken, S. Langhoff, A. Shuba, M. Gjoka, and A. Markopoulou. AntMonitor: A System for Monitoring from Mobile Devices. In ACM (C2B(I)D), 2015. Google ScholarDigital Library
I. Leontiadis, C. Efstratiou, M. Picone, and C. Mascolo. Don't Kill my Ads!: Balancing Privacy in an Ad-supported Mobile Application Market. In ACM HotMobile, 2012. Google ScholarDigital Library
MaxMind. https://www.maxmind.com.Google Scholar
R. Nithyanand, S. Khattak, M. Javed, N. Vallina-Rodriguez, M. Falahrastegar, J. E. Powles, E. De Cristofaro, H. Haddadi, and S. J. Murdoch. Ad-blocking and counter blocking: A slice of the arms race. FOCI, 2016.Google Scholar
V. Paxson. Bro: a System for Detecting Network Intruders in Real-Time. Computer Networks, 1999. Google ScholarDigital Library
V. C. Perta, M. V. Barbera, G. Tyson, H. Haddadi, and A. Mei. A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN Clients. PETS, 2015.Google Scholar
I. Poese, S. Uhlig, M. A. Kaafar, B. Donnet, and B. Gueye. IP geolocation databases: Unreliable? ACM SIGCOMM CCR, 2011. Google ScholarDigital Library
A. Razaghpanah, N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, P. Gill, M. Allman, and V. Paxson. Haystack: In Situ Mobile Traffic Analysis in User Space. arXiv preprint arXiv:1510.01419, 2015.Google Scholar
C. Reis, S. Gribble, T. Kohno, and N. Weaver. Detecting In-Flight Page Changes with Web Tripwires. In NSDI, 2008. Google ScholarDigital Library
Rescorla, Eric and Modadugu, Nagendra. Datagram Transport Layer Security (RFC4347). https://tools.ietf.org/html/rfc4347.Google Scholar
F. Roesner, T. Kohno, A. Moshchuk, B. Parno, H. J. Wang, and C. Cowan. User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems. In IEEE S&P, 2012. Google ScholarDigital Library
Samsung KNOX. https://www.samsungknox.com/en.Google Scholar
A.-D. Schmidt, F. Peters, F. Lamour, C. Scheel, S. A. Çamtepe, and Ş. Albayrak. Monitoring Smartphones for Anomaly Detection. Mobile Networks and Applications, 2009. Google ScholarDigital Library
S. Seneviratne, H. Kolamunna, and A. Seneviratne. A Measurement Study of Tracking in Paid Mobile Applications. In ACM WiSec, 2015. Google ScholarDigital Library
A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, and Y. Weiss."Andromaly": A Behavioral Malware Detection Framework for Android Devices. JIIS, 2012. Google ScholarDigital Library
S. Shekhar, M. Dietz, and D. S. Wallach. AdSplit: Separating Smartphone Advertising from Applications. In USENIX Sec, 2012. Google ScholarDigital Library
Y. Song and U. Hengartner. PrivacyGuard: A VPN-based Platform to Detect Information Leakage on Android Devices. In ACM SPSM, 2015. Google ScholarDigital Library
N. Vallina-Rodriguez, J. Amann, C. Kreibich, N. Weaver, and V. Paxson. A Tangled Mass: The Android Root Certificate Stores. In ACM CoNEXT, 2014. Google ScholarDigital Library
N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, and V. Paxson. Header Enrichment or ISP Enrichment? Emerging Privacy Threats in Mobile Networks. In ACM HotMiddlebox, 2015. Google ScholarDigital Library
N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, N. Weaver, and V. Paxson. Beyond the Radio: Illuminating the Higher Layers of Mobile Networks. In ACM MobiSys, 2015. Google ScholarDigital Library
N. Weaver, C. Kreibich, M. Dam, and V. Paxson. Here Be Web Proxies. In PAM, 2014. Google ScholarDigital Library
N. Weaver, C. Kreibich, and V. Paxson. Redirecting Dns for Ads and Profit, 2011.Google Scholar
L.-K. Yan and H. Yin. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In USENIX Security, 2012. Google ScholarDigital Library
Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In IEEE S&P, 2012. Google ScholarDigital Library
Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming Information-stealing Smartphone Applications (on Android). In TRUST, 2011. Google ScholarDigital Library

Index Terms

An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps
1. Networks
  1. Network properties
    1. Network security
      1. Mobile and wireless security
      2. Security protocols
2. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Privacy protections
  2. Security services
    1. Privacy-preserving protocols
    2. Pseudonymity, anonymity and untraceability

Recommendations

Investigation into the security and privacy of iOS VPN applications
ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

Due to the increasing number of recommendations for people to use Virtual Private Networks (VPNs) to protect their privacy, more application developers are creating VPN applications and publishing them on the Apple App Store and Google Play Store. In ...
Read More
Vetting undesirable behaviors in android apps with permission use analysis
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent ...
Read More
Permission Use Analysis for Vetting Undesirable Behaviors in Android Apps

The android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
IMC '16: Proceedings of the 2016 Internet Measurement Conference
November 2016
570 pages
ISBN:9781450345262
DOI:10.1145/2987443
General Chairs:
Phillipa Gill
University of Massachusetts--Amherst
,
John Heidemann
USC/ISI
,
Program Chairs:
John W. Byers
Boston University
,
Ramesh Govindan
USC
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 14 November 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
ads blocking
dns hijacking
hidden proxies
ipv6
javascript injection
tls interception
tunneling protocols
vpn
vpn permission
Qualifiers
- research-article
Conference

Acceptance Rates
IMC '16 Paper Acceptance Rate48of184submissions,26%Overall Acceptance Rate277of1,083submissions,26%
More
Upcoming Conference
IMC '24

Sponsor:

sigcomm

sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 76
  Total Citations
  View Citations
- 3,440
  Total Downloads
- Downloads (Last 12 months)1,012
- Downloads (Last 6 weeks)239
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps

IMC '16: Proceedings of the 2016 Internet Measurement Conference

ABSTRACT

References

Cited By

Index Terms

Recommendations

Investigation into the security and privacy of iOS VPN applications

Vetting undesirable behaviors in android apps with permission use analysis

Permission Use Analysis for Vetting Undesirable Behaviors in Android Apps