ABSTRACT
Millions of users worldwide resort to mobile VPN clients to either circumvent censorship or to access geo-blocked content, and more generally for privacy and security purposes. In practice, however, users have little if any guarantees about the corresponding security and privacy settings, and perhaps no practical knowledge about the entities accessing their mobile traffic.
In this paper we provide a first comprehensive analysis of 283 Android apps that use the Android VPN permission, which we extracted from a corpus of more than 1.4 million apps on the Google Play store. We perform a number of passive and active measurements designed to investigate a wide range of security and privacy features and to study the behavior of each VPN-based app. Our analysis includes investigation of possible malware presence, third-party library embedding, and traffic manipulation, as well as gauging user perception of the security and privacy of such apps. Our experiments reveal several instances of VPN apps that expose users to serious privacy and security vulnerabilities, such as use of insecure VPN tunneling protocols, as well as IPv6 and DNS traffic leakage. We also report on a number of apps actively performing TLS interception. Of particular concern are instances of apps that inject JavaScript programs for tracking, advertising, and for redirecting e-commerce traffic to external partners.
- Alexa Top 500 Websites. http://www.alexa.com/topsites.Google Scholar
- Android Permissions. http://developer.android.com/guide/topics/security/permissions.html.Google Scholar
- Application Fundamentals. http://developer.android.com/guide/components/fundamentals.html.Google Scholar
- Archie VPN. https://play.google.com/store/apps/details?id=com.lausny.archievpnfree.go.Google Scholar
- Cisco AnyConnect. https://play.google.com/store/apps/details?id=com.cisco.anyconnect.vpn.android.avf.Google Scholar
- CM Data Manager - Speed Test. https://play.google.com/store/apps/details?id=com.cmcm.flowmonitor.Google Scholar
- CrossVpn. https://play.google.com/store/apps/details?id=com.goodyes.vpn.cn.Google Scholar
- Cyberghost - free vpn & proxy. https://play.google.com/store/apps/details?id=de.mobileconcepts.cyberghost.Google Scholar
- Dash Net Accelerated VPN . https://play.google.com/store/apps/details?id=com.actmobile.dashnet.Google Scholar
- Dash VPN | Dash Office - Speed Test. http://dashoffice.com/dash-vpn/.Google Scholar
- DNSet. https://play.google.com/store/apps/details?id=com.dnset.Google Scholar
- DroidVPN - Android VPN. https://play.google.com/store/apps/details?id=com.aed.droidvpn.Google Scholar
- Dr.Web Security Space. https://play.google.com/store/apps/details?id=com.drweb.pro.Google Scholar
- EasyOvpn - Plugin for OpenVPN. https://play.google.com/store/apps/details?id=com.easyovpn.easyovpn.Google Scholar
- EasyVpn. https://play.google.com/store/apps/details?id=yujia.easyvpn.Google Scholar
- F-Secure Freedome Anti-Tracking Feature Explained. https://community.f-secure.com/t5/F-Secure/F-Secure-Freedome-Anti-Tracking/ta-p/52153.Google Scholar
- Fast Secure Payment Service. https://play.google.com/store/apps/details?id=com.lausny.ocvpnaio.pay.Google Scholar
- FlashVPN Free VPN Proxy. https://play.google.com/store/apps/details?id=net.flashsoft.flashvpn.activity.Google Scholar
- Free VPN Proxy by Betternet. https://play.google.com/store/apps/details?id=com.freevpnintouch.Google Scholar
- Good. Mobile Device Management (MDM). https://www1.good.com/secure-mobility-solution/mobile-device-management.html.Google Scholar
- Google Play Unofficial Python API. https://github.com/egirault/googleplay-api.Google Scholar
- HatVPN. https://play.google.com/store/apps/details?id=mobi.hatvpn.Google Scholar
- HideMyAss! Pro VPN for Android. https://play.google.com/store/apps/details?id=com.hidemyass.hidemyassprovpn.Google Scholar
- Hola Free VPN Proxy. https://play.google.com/store/apps/details?id=org.hola.Google Scholar
- Hotspot Shield Advertising. http://www.anchorfree.com/advertise.php.Google Scholar
- Hotspot Shield Free VPN Proxy. https://play.google.com/store/apps/details?id=hotspotshield.android.vpn.Google Scholar
- ip-shield VPN. https://play.google.com/store/apps/details?id=com.ipshield.app.Google Scholar
- Junos Pulse. https://play.google.com/store/apps/details?id=net.juniper.junos.pulse.android&hl=en.Google Scholar
- Knox Standard SDK. https://seap.samsung.com/sdk/knox-standard-android.Google Scholar
- Mobile Security & Antivirus. https://play.google.com/store/apps/details?id=com.trendmicro.tmmspersonal.Google Scholar
- NEOPARD. http://https://play.google.com/store/apps/details?id=com.exalinks.neopard/.Google Scholar
- Neopard Privacy Policy. http://neopard-mobile.com/en/about/privacy/.Google Scholar
- NeoRouter VPN Mesh. https://play.google.com/store/apps/details?id=com.neorouter.androidmesh.Google Scholar
- NoRoot Firewall. https://play.google.com/store/apps/details?id=app.greyshirts.firewall.Google Scholar
- OkVpn. https://play.google.com/store/apps/details?id=yujia.okvpn.Google Scholar
- One Click VPN. https://play.google.com/store/apps/details?id=com.lausny.ocvpn.Google Scholar
- Open Gate. https://play.google.com/store/apps/details?id=com.btzsoft.vpnclient.Google Scholar
- Orbot: Proxy with Tor. https://play.google.com/store/apps/details?id=org.torproject.android.Google Scholar
- Packet Capture. https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture.Google Scholar
- pcap-parser (0.5.8). https://pypi.python.org/pypi/pcap-parser/0.5.8.Google Scholar
- Private WiFi. https://play.google.com/store/apps/details?id=com.privatewifi.pwf.hybrid.Google Scholar
- Qihoo 360. https://play.google.com/store/apps/details?id=com.qihoo360.mobilesafe.Google Scholar
- Raccon APK Downloader. http://www.onyxbits.de/raccoon.Google Scholar
- Rocket VPN - Internet Freedom. https://play.google.com/store/apps/details?id=com.liquidum.rocketvpn.Google Scholar
- Samsung KNOX. Partnering with Samsung. https://www.samsungknox.com/en/partners.Google Scholar
- Security with HTTPS and SSL. http://developer.android.com/training/articles/security-ssl.html.Google Scholar
- Selendroid: Selenium for Android. http://www.selendroid.io.Google Scholar
- sFly Network Booster, Adblocker. https://play.google.com/store/apps/details?id=com.cdnren.sfly.Google Scholar
- Spamhaus PBL. http://www.spamhaus.org/pbl/.Google Scholar
- Spotflux VPN. https://play.google.com/store/apps/details?id=com.spotflux.android.Google Scholar
- StrongVPN OpenVPN Client. https://play.google.com/store/apps/details?id=com.strongvpn.Google Scholar
- SuperVPN. https://play.google.com/store/apps/details?id=com.SuperVPN_Q0102_21.Google Scholar
- SurfEasy Secure Android VPN. https://play.google.com/store/apps/details?id=com.surfeasy.Google Scholar
- tigerVPN - Privacy Defender. https://play.google.com/store/apps/details?id=com.tigeratwork.tigervpn.Google Scholar
- Tigervpns Free VPN and Proxy. https://play.google.com/store/apps/details?id=com.tigervpns.android.Google Scholar
- TorGuard VPN. https://play.google.com/store/apps/details?id=net.torguard.openvpn.client.Google Scholar
- VirusTotal. https://www.virustotal.com.Google Scholar
- VPN Free. https://play.google.com/store/apps/details?id=com.couxin.GroxNetwork.Google Scholar
- VPN Gate. https://play.google.com/store/apps/details?id=com.lausny.vpngate.Google Scholar
- VPN Service Documentation. http://developer.android.com/reference/android/net/VpnService.html.Google Scholar
- VPNSecure OpenVPN VPN Proxy. https://play.google.com/store/apps/details?id=com.vpnsecure.pty.ltd.Google Scholar
- VPNGoogle Scholar
- TORGoogle Scholar
- Cloud VPN Globus Pro! https://play.google.com/store/apps/details?id=com.globus.vpn.Google Scholar
- VyprVPN Free VPN for Privacy. https://play.google.com/store/apps/details?id=com.goldenfrog.vyprvpn.app.Google Scholar
- WiFi Protector VPN. https://play.google.com/store/apps/details?id=com.wifiprotector.android.Google Scholar
- M. Allman. Comments on bufferbloat. SIGCOMM CCR, 2013. Google ScholarDigital Library
- Android developer documentation. KeyChain. https://developer.android.com/reference/android/security/KeyChain.html#createInstallIntent().Google Scholar
- J. Appelbaum, M. Ray, I. Finder, and K. Koscher. vpwns: Virtual Pwned Networks. In USENIX FOCI, 2012.Google Scholar
- D. Arp, M. Spreitzenbarth, H. Gascon, and K. Rieck. Drebin: Effective and Explainable Detection of Android Malware in Your Pocket. In NDSS, 2014.Google ScholarCross Ref
- K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: Analyzing the Android Permission Specification. In ACM CCS, 2012. Google ScholarDigital Library
- T. Bl\"asing, L. Batyuk, A.-D. Schmidt, S. A. Camtepe, and S. Albayrak. An Android Application Sandbox System for Suspicious Software Detection. In IEEE MALWARE, 2010.Google Scholar
- A. Bose, X. Hu, K. G. Shin, and T. Park. Behavioral Detection of Malware on Mobile Handsets. In ACM MobiSys, 2008. Google ScholarDigital Library
- I. Castro, J. C. Cardona, S. Gorinsky, and P. Francois. Remote Peering: More Peering Without Internet Flattening. In ACM CoNEXT, 2014. Google ScholarDigital Library
- T. Chen, I. Ullah, M. A. Kaafar, and R. Boreli. Information Leakage Through Mobile Analytics Services. In ACM MobiSys, 2014. Google ScholarDigital Library
- P. H. Chia, Y. Yamamoto, and N. Asokan. Is this App Safe?: A Large Scale Study on Application Permissions and Risk Signals. In ACM WWW, 2012. Google ScholarDigital Library
- D. Crawford. PPTP vs L2TP vs OpenVPN vs SSTP vs IKEv2. https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs-sstp-vs-ikev2/.Google Scholar
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information Flow Tracking System for Real-Time Privacy Monitoring on Smartphones. CACM, 2014. Google ScholarDigital Library
- S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith. Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In ACM CCS, 2012. Google ScholarDigital Library
- A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In ACM CCS, 2011. Google ScholarDigital Library
- A. Gorla, I. Tavecchia, F. Gross, and A. Zeller. Checking App Behavior Against App Descriptions. In ICSE, 2014. Google ScholarDigital Library
- C. Haschek. Where are free proxies free? https://blog.haschek.at/post/fd9bc.Google Scholar
- P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These Aren't the Droids You're Looking for: Retrofitting Android to Protect Data from Imperious Applications. In ACM CCS, 2011. Google ScholarDigital Library
- M. Ikram, H. J. Asghar, M. A. Kaafar, B. Krishnamurthy, and A. Mahanti. Towards Seamless Tracking-Free Web: Improved Detection of Trackers via One-class Learning. In PETs, 2017.Google Scholar
- J. Jeon, K. K. Micinski, J. A. Vaughan, A. Fogel, N. Reddy, J. S. Foster, and T. Millstein. Dr. Android and Mr. Hide: Fine-grained Permissions in Android Applications. In ACM SPSM, 2012. Google ScholarDigital Library
- A. Kantchelian, M. C. Tschantz, S. Afroz, B. Miller, V. Shankar, R. Bachwani, A. D. Joseph, and J. D. Tygar. Better Malware Ground Truth: Techniques for Weighting Anti-Virus Vendor Labels. In AISec, 2015. Google ScholarDigital Library
- A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and E. Kirda. Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks. In DIMVA, 2015. Google ScholarDigital Library
- S. Khattak, D. Fifield, S. Afroz, M. Javed, S. Sundaresan, V. Paxson, S. J. Murdoch, and D. McCoy. Do You See What I See? Differential Treatment of Anonymous Users. In NDSS, 2016.Google Scholar
- S. Khattak, M. Javed, S. A. Khayam, Z. A. Uzmi, and V. Paxson. A Look at the Consequences of Internet Censorship Through an ISP Lens. In ACM IMC, 2014. Google ScholarDigital Library
- H. Kim, J. Smith, and K. G. Shin. Detecting Energy-Greedy Anomalies and Mobile Malware Variants. In ACM MobiSys, 2008. Google ScholarDigital Library
- C. Kreibich, N. Weaver, B. Nechaev, and V. Paxson. Netalyzr: Illuminating the Edge Network. In ACM IMC, 2010. Google ScholarDigital Library
- A. Le, J. Varmarken, S. Langhoff, A. Shuba, M. Gjoka, and A. Markopoulou. AntMonitor: A System for Monitoring from Mobile Devices. In ACM (C2B(I)D), 2015. Google ScholarDigital Library
- I. Leontiadis, C. Efstratiou, M. Picone, and C. Mascolo. Don't Kill my Ads!: Balancing Privacy in an Ad-supported Mobile Application Market. In ACM HotMobile, 2012. Google ScholarDigital Library
- MaxMind. https://www.maxmind.com.Google Scholar
- R. Nithyanand, S. Khattak, M. Javed, N. Vallina-Rodriguez, M. Falahrastegar, J. E. Powles, E. De Cristofaro, H. Haddadi, and S. J. Murdoch. Ad-blocking and counter blocking: A slice of the arms race. FOCI, 2016.Google Scholar
- V. Paxson. Bro: a System for Detecting Network Intruders in Real-Time. Computer Networks, 1999. Google ScholarDigital Library
- V. C. Perta, M. V. Barbera, G. Tyson, H. Haddadi, and A. Mei. A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN Clients. PETS, 2015.Google Scholar
- I. Poese, S. Uhlig, M. A. Kaafar, B. Donnet, and B. Gueye. IP geolocation databases: Unreliable? ACM SIGCOMM CCR, 2011. Google ScholarDigital Library
- A. Razaghpanah, N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, P. Gill, M. Allman, and V. Paxson. Haystack: In Situ Mobile Traffic Analysis in User Space. arXiv preprint arXiv:1510.01419, 2015.Google Scholar
- C. Reis, S. Gribble, T. Kohno, and N. Weaver. Detecting In-Flight Page Changes with Web Tripwires. In NSDI, 2008. Google ScholarDigital Library
- Rescorla, Eric and Modadugu, Nagendra. Datagram Transport Layer Security (RFC4347). https://tools.ietf.org/html/rfc4347.Google Scholar
- F. Roesner, T. Kohno, A. Moshchuk, B. Parno, H. J. Wang, and C. Cowan. User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems. In IEEE S&P, 2012. Google ScholarDigital Library
- Samsung KNOX. https://www.samsungknox.com/en.Google Scholar
- A.-D. Schmidt, F. Peters, F. Lamour, C. Scheel, S. A. Çamtepe, and Ş. Albayrak. Monitoring Smartphones for Anomaly Detection. Mobile Networks and Applications, 2009. Google ScholarDigital Library
- S. Seneviratne, H. Kolamunna, and A. Seneviratne. A Measurement Study of Tracking in Paid Mobile Applications. In ACM WiSec, 2015. Google ScholarDigital Library
- A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, and Y. Weiss."Andromaly": A Behavioral Malware Detection Framework for Android Devices. JIIS, 2012. Google ScholarDigital Library
- S. Shekhar, M. Dietz, and D. S. Wallach. AdSplit: Separating Smartphone Advertising from Applications. In USENIX Sec, 2012. Google ScholarDigital Library
- Y. Song and U. Hengartner. PrivacyGuard: A VPN-based Platform to Detect Information Leakage on Android Devices. In ACM SPSM, 2015. Google ScholarDigital Library
- N. Vallina-Rodriguez, J. Amann, C. Kreibich, N. Weaver, and V. Paxson. A Tangled Mass: The Android Root Certificate Stores. In ACM CoNEXT, 2014. Google ScholarDigital Library
- N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, and V. Paxson. Header Enrichment or ISP Enrichment? Emerging Privacy Threats in Mobile Networks. In ACM HotMiddlebox, 2015. Google ScholarDigital Library
- N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, N. Weaver, and V. Paxson. Beyond the Radio: Illuminating the Higher Layers of Mobile Networks. In ACM MobiSys, 2015. Google ScholarDigital Library
- N. Weaver, C. Kreibich, M. Dam, and V. Paxson. Here Be Web Proxies. In PAM, 2014. Google ScholarDigital Library
- N. Weaver, C. Kreibich, and V. Paxson. Redirecting Dns for Ads and Profit, 2011.Google Scholar
- L.-K. Yan and H. Yin. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In USENIX Security, 2012. Google ScholarDigital Library
- Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In IEEE S&P, 2012. Google ScholarDigital Library
- Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming Information-stealing Smartphone Applications (on Android). In TRUST, 2011. Google ScholarDigital Library
Index Terms
- An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps
Recommendations
Investigation into the security and privacy of iOS VPN applications
ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and SecurityDue to the increasing number of recommendations for people to use Virtual Private Networks (VPNs) to protect their privacy, more application developers are creating VPN applications and publishing them on the Apple App Store and Google Play Store. In ...
Vetting undesirable behaviors in android apps with permission use analysis
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityAndroid platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent ...
Permission Use Analysis for Vetting Undesirable Behaviors in Android Apps
The android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, ...
Comments