An analysis of the privacy and security risks of android VPN permission-enabled apps

Muhammad Ikram; Narseo Vallina-Rodriguez; Suranga Seneviratne; Mohamed Ali Kaafar; Vern Paxson

doi:10.1145/2987443.2987471

An analysis of the privacy and security risks of android VPN permission-enabled apps

Muhammad Ikram, Narseo Vallina-Rodriguez, Suranga Seneviratne, Mohamed Ali Kaafar, Vern Paxson

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

102 Citations (Scopus)

Abstract

Millions of users worldwide resort to mobile VPN clients to either circumvent censorship or to access geo-blocked content, and more generally for privacy and security purposes. In practice, however, users have little if any guarantees about the corresponding security and privacy settings, and perhaps no practical knowledge about the entities accessing their mobile traffic.

In this paper we provide a first comprehensive analysis of 283 Android apps that use the Android VPN permission, which we extracted from a corpus of more than 1.4 million apps on the Google Play store. We perform a number of passive and active measurements designed to investigate a wide range of security and privacy features and to study the behavior of each VPN-based app. Our analysis includes investigation of possible malware presence, third-party library embedding, and traffic manipulation, as well as gauging user perception of the security and privacy of such apps. Our experiments reveal several instances of VPN apps that expose users to serious privacy and security vulnerabilities, such as use of insecure VPN tunneling protocols, as well as IPv6 and DNS traffic leakage. We also report on a number of apps actively performing TLS interception. Of particular concern are instances of apps that inject JavaScript programs for tracking, advertising, and for redirecting e-commerce traffic to external partners.

Original language	English
Title of host publication	Proceedings of the 2016 ACM Internet Measurement Conference
Place of Publication	New York
Publisher	Association for Computing Machinery
Pages	349-364
Number of pages	16
ISBN (Electronic)	9781450345262
DOIs	https://doi.org/10.1145/2987443.2987471
Publication status	Published - 14 Nov 2016
Externally published	Yes
Event	2016 ACM Internet Measurement Conference, IMC 2016 - Santa Monica, United States Duration: 14 Nov 2016 → 16 Nov 2016

Conference

Conference	2016 ACM Internet Measurement Conference, IMC 2016
Country/Territory	United States
City	Santa Monica
Period	14/11/16 → 16/11/16

Access to Document

10.1145/2987443.2987471

Cite this

@inproceedings{12d58083cb1d4167be0a9d7814fb1503,

title = "An analysis of the privacy and security risks of android VPN permission-enabled apps",

abstract = "Millions of users worldwide resort to mobile VPN clients to either circumvent censorship or to access geo-blocked content, and more generally for privacy and security purposes. In practice, however, users have little if any guarantees about the corresponding security and privacy settings, and perhaps no practical knowledge about the entities accessing their mobile traffic. In this paper we provide a first comprehensive analysis of 283 Android apps that use the Android VPN permission, which we extracted from a corpus of more than 1.4 million apps on the Google Play store. We perform a number of passive and active measurements designed to investigate a wide range of security and privacy features and to study the behavior of each VPN-based app. Our analysis includes investigation of possible malware presence, third-party library embedding, and traffic manipulation, as well as gauging user perception of the security and privacy of such apps. Our experiments reveal several instances of VPN apps that expose users to serious privacy and security vulnerabilities, such as use of insecure VPN tunneling protocols, as well as IPv6 and DNS traffic leakage. We also report on a number of apps actively performing TLS interception. Of particular concern are instances of apps that inject JavaScript programs for tracking, advertising, and for redirecting e-commerce traffic to external partners.",

author = "Muhammad Ikram and Narseo Vallina-Rodriguez and Suranga Seneviratne and Kaafar, {Mohamed Ali} and Vern Paxson",

year = "2016",

month = nov,

day = "14",

doi = "10.1145/2987443.2987471",

language = "English",

pages = "349--364",

booktitle = "Proceedings of the 2016 ACM Internet Measurement Conference",

publisher = "Association for Computing Machinery",

note = "2016 ACM Internet Measurement Conference, IMC 2016 ; Conference date: 14-11-2016 Through 16-11-2016",

}

Ikram, M, Vallina-Rodriguez, N, Seneviratne, S, Kaafar, MA & Paxson, V 2016, An analysis of the privacy and security risks of android VPN permission-enabled apps. in Proceedings of the 2016 ACM Internet Measurement Conference. Association for Computing Machinery, New York, pp. 349-364, 2016 ACM Internet Measurement Conference, IMC 2016, Santa Monica, United States, 14/11/16. https://doi.org/10.1145/2987443.2987471

An analysis of the privacy and security risks of android VPN permission-enabled apps. / Ikram, Muhammad; Vallina-Rodriguez, Narseo; Seneviratne, Suranga et al.
Proceedings of the 2016 ACM Internet Measurement Conference. New York: Association for Computing Machinery, 2016. p. 349-364.

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

TY - GEN

T1 - An analysis of the privacy and security risks of android VPN permission-enabled apps

AU - Ikram, Muhammad

AU - Vallina-Rodriguez, Narseo

AU - Seneviratne, Suranga

AU - Kaafar, Mohamed Ali

AU - Paxson, Vern

PY - 2016/11/14

Y1 - 2016/11/14

N2 - Millions of users worldwide resort to mobile VPN clients to either circumvent censorship or to access geo-blocked content, and more generally for privacy and security purposes. In practice, however, users have little if any guarantees about the corresponding security and privacy settings, and perhaps no practical knowledge about the entities accessing their mobile traffic. In this paper we provide a first comprehensive analysis of 283 Android apps that use the Android VPN permission, which we extracted from a corpus of more than 1.4 million apps on the Google Play store. We perform a number of passive and active measurements designed to investigate a wide range of security and privacy features and to study the behavior of each VPN-based app. Our analysis includes investigation of possible malware presence, third-party library embedding, and traffic manipulation, as well as gauging user perception of the security and privacy of such apps. Our experiments reveal several instances of VPN apps that expose users to serious privacy and security vulnerabilities, such as use of insecure VPN tunneling protocols, as well as IPv6 and DNS traffic leakage. We also report on a number of apps actively performing TLS interception. Of particular concern are instances of apps that inject JavaScript programs for tracking, advertising, and for redirecting e-commerce traffic to external partners.

AB - Millions of users worldwide resort to mobile VPN clients to either circumvent censorship or to access geo-blocked content, and more generally for privacy and security purposes. In practice, however, users have little if any guarantees about the corresponding security and privacy settings, and perhaps no practical knowledge about the entities accessing their mobile traffic. In this paper we provide a first comprehensive analysis of 283 Android apps that use the Android VPN permission, which we extracted from a corpus of more than 1.4 million apps on the Google Play store. We perform a number of passive and active measurements designed to investigate a wide range of security and privacy features and to study the behavior of each VPN-based app. Our analysis includes investigation of possible malware presence, third-party library embedding, and traffic manipulation, as well as gauging user perception of the security and privacy of such apps. Our experiments reveal several instances of VPN apps that expose users to serious privacy and security vulnerabilities, such as use of insecure VPN tunneling protocols, as well as IPv6 and DNS traffic leakage. We also report on a number of apps actively performing TLS interception. Of particular concern are instances of apps that inject JavaScript programs for tracking, advertising, and for redirecting e-commerce traffic to external partners.

UR - http://www.scopus.com/inward/record.url?scp=85000417043&partnerID=8YFLogxK

U2 - 10.1145/2987443.2987471

DO - 10.1145/2987443.2987471

M3 - Conference proceeding contribution

AN - SCOPUS:85000417043

SP - 349

EP - 364

BT - Proceedings of the 2016 ACM Internet Measurement Conference

PB - Association for Computing Machinery

CY - New York

T2 - 2016 ACM Internet Measurement Conference, IMC 2016

Y2 - 14 November 2016 through 16 November 2016

ER -

An analysis of the privacy and security risks of android VPN permission-enabled apps

Abstract

Conference

Access to Document

Other files and links

Fingerprint

Cite this