An analysis of the privacy and security risks of android VPN permission-enabled apps

Muhammad Ikram, Narseo Vallina-Rodriguez, Suranga Seneviratne, Mohamed Ali Kaafar, Vern Paxson

Research output: Chapter in Book/Report/Conference proceedingConference proceeding contributionpeer-review

86 Citations (Scopus)


Millions of users worldwide resort to mobile VPN clients to either circumvent censorship or to access geo-blocked content, and more generally for privacy and security purposes. In practice, however, users have little if any guarantees about the corresponding security and privacy settings, and perhaps no practical knowledge about the entities accessing their mobile traffic.

In this paper we provide a first comprehensive analysis of 283 Android apps that use the Android VPN permission, which we extracted from a corpus of more than 1.4 million apps on the Google Play store. We perform a number of passive and active measurements designed to investigate a wide range of security and privacy features and to study the behavior of each VPN-based app. Our analysis includes investigation of possible malware presence, third-party library embedding, and traffic manipulation, as well as gauging user perception of the security and privacy of such apps. Our experiments reveal several instances of VPN apps that expose users to serious privacy and security vulnerabilities, such as use of insecure VPN tunneling protocols, as well as IPv6 and DNS traffic leakage. We also report on a number of apps actively performing TLS interception. Of particular concern are instances of apps that inject JavaScript programs for tracking, advertising, and for redirecting e-commerce traffic to external partners.

Original languageEnglish
Title of host publicationProceedings of the 2016 ACM Internet Measurement Conference
Place of PublicationNew York
PublisherAssociation for Computing Machinery
Number of pages16
ISBN (Electronic)9781450345262
Publication statusPublished - 14 Nov 2016
Externally publishedYes
Event2016 ACM Internet Measurement Conference, IMC 2016 - Santa Monica, United States
Duration: 14 Nov 201616 Nov 2016


Conference2016 ACM Internet Measurement Conference, IMC 2016
Country/TerritoryUnited States
CitySanta Monica


Dive into the research topics of 'An analysis of the privacy and security risks of android VPN permission-enabled apps'. Together they form a unique fingerprint.

Cite this