wantedwwwqq.com

AnAnalysisofthePrivacyandSecurityRisksofAndroidVPNPermission-enabledAppsMuhammadIkram1,2,NarseoVallina-Rodriguez3,SurangaSeneviratne1,MohamedAliKaafar1,VernPaxson3,41Data61,CSIRO2UNSW3ICSI4UCBerkeleyABSTRACTMillionsofusersworldwideresorttomobileVPNclientstoeithercircumventcensorshiportoaccessgeo-blockedcon-tent,andmoregenerallyforprivacyandsecuritypurposes.
Inpractice,however,usershavelittleifanyguaranteesaboutthecorrespondingsecurityandprivacysettings,andperhapsnopracticalknowledgeabouttheentitiesaccessingtheirmo-biletrafc.
Inthispaperweprovidearstcomprehensiveanalysisof283AndroidappsthatusetheAndroidVPNpermission,whichweextractedfromacorpusofmorethan1.
4millionappsontheGooglePlaystore.
WeperformanumberofpassiveandactivemeasurementsdesignedtoinvestigateawiderangeofsecurityandprivacyfeaturesandtostudythebehaviorofeachVPN-basedapp.
Ouranalysisincludesin-vestigationofpossiblemalwarepresence,third-partylibraryembedding,andtrafcmanipulation,aswellasgauginguserperceptionofthesecurityandprivacyofsuchapps.
Ourex-perimentsrevealseveralinstancesofVPNappsthatexposeuserstoseriousprivacyandsecurityvulnerabilities,suchasuseofinsecureVPNtunnelingprotocols,aswellasIPv6andDNStrafcleakage.
WealsoreportonanumberofappsactivelyperformingTLSinterception.
Ofparticularcon-cernareinstancesofappsthatinjectJavaScriptprogramsfortracking,advertising,andforredirectinge-commercetrafctoexternalpartners.
1.
INTRODUCTIONSincethereleaseofAndroidversion4.
0inOctober2011,mobileappdeveloperscanusenativesupporttocreateVPNclientsthroughtheAndroidVPNServiceclass.
Asopposedtothedesktopcontext,whereanappneedsrootaccesstocreatevirtualinterfaces,AndroidappdevelopersonlyhavePermissiontomakedigitalorhardcopiesofallorpartofthisworkforpersonalorclassroomuseisgrantedwithoutfeeprovidedthatcopiesarenotmadeordistributedforprotorcommercialadvantageandthatcopiesbearthisnoticeandthefullcitationontherstpage.
CopyrightsforcomponentsofthisworkownedbyothersthanACMmustbehonored.
Abstractingwithcreditisper-mitted.
Tocopyotherwise,orrepublish,topostonserversortoredistributetolists,requirespriorspecicpermissionand/orafee.
Requestpermissionsfrompermissions@acm.
org.
IMC2016,November14-16,2016,SantaMonica,CA,USAc2016ACM.
ISBN978-1-4503-4526-2/16/11.
.
.
$15.
00DOI:http://dx.
doi.
org/10.
1145/2987443.
2987471torequesttheBIND_VPN_SERVICEpermission(forsim-plicity,the"VPNpermission")tocreatesuchclients.
Android'sofcialdocumentationhighlightstheserioussecurityconcernsthattheVPNpermissionraises:itallowsanapptointerceptandtakefullcontroloverauser'straf-c[60].
ManyappsmaylegitimatelyusetheVPNpermis-siontooffer(someformof)onlineanonymityortoenableaccesstocensoredcontent[87].
However,maliciousappde-velopersmayabuseittoharvestusers'personalinformation.
Inordertominimizepossiblemisuse,AndroidalertsusersabouttheinherentrisksoftheVPNpermissionbydisplay-ingsystemdialoguesandnotications[60].
Alargefractionofmobileusersmayhoweverlackthenecessarytechnicalbackgroundtofullyunderstandthepotentialimplications.
TheuseoftheVPNpermissionbymobileapps,manyofwhichhavebeeninstalledbymillionsofusersworldwide,remainsopaqueandundocumented.
Inthispaper,wecon-ductin-depthanalysisof283AndroidVPNappsextractedfromapopulationof1.
4MGooglePlayapps.
InoureffortstoilluminateandcharacterizethebehaviorofVPNappsandtheirimpactonuser'sprivacyandsecurity,wedevelopasuiteofteststhatcombinespassiveanalysisofthesourcecode(cf.
Section4)withcustom-builtactivenetworkmea-surements(cf.
Section5).
Themainndingsofouranalysisaresummarizedasfollows:Third-partyusertrackingandaccesstosensitiveAn-droidpermissions:Eventhough67%oftheidentiedVPNAndroidappsofferservicestoenhanceonlinepri-vacyandsecurity,75%ofthemusethird-partytrackinglibrariesand82%requestpermissionstoaccesssensitiveresourcesincludinguseraccountsandtextmessages.
Malwarepresence:While37%oftheanalyzedVPNappshavemorethan500Kinstallsand25%ofthemre-ceiveatleasta4-starrating,over38%ofthemcontainsomemalwarepresenceaccordingtoVirusTotal[57].
WeanalyzethepublicuserreviewsavailableonGooglePlayforalltheVPNappstosensewhethertheirusersareawareofpossiblemaliciousactivitiesintheirapps.
OuranalysisrevealsthatonlyamarginalnumberofVPNusershavepubliclyraisedanysecurityandprivacyconcernsintheirappreviews.
Trafcinterceptionmodes:ThehostinginfrastructureofVPNapps,whichisheavilyconcentratedintheUSA,remainsopaquefortheend-user.
18%oftheappsdonotmentiontheentityhostingtheterminatingVPNserver.
Ournetworkmeasurementsalsosuggestthat16%oftheanalyzedappsmayforwardtrafcthroughotherpartici-patingusersinapeer-forwardingfashionratherthanus-ingmachineshostedinthecloud.
Thisforwardingmodelraisesanumberoftrust,securityandprivacyconcernsforparticipatingusers.
Finally,4%oftheanalyzedVPNappsusetheVPNpermissiontoimplementlocalhostproxiestointerceptandinspectusertrafclocally,primarilyforantivirusandtrafclteringpurposes.
(Lackof)Encryptionandtrafcleaks:18%oftheVPNappsimplementtunnelingprotocolswithoutencryp-tiondespitepromisingonlineanonymityandsecuritytotheirusers.
Infact,approximately84%and66%oftheanalyzedVPNappsdonottunnelIPv6andDNStraf-cthroughthetunnelinterfacerespectivelyduetolackofIPv6support,miscongurationsordeveloper-inducederrors.
Boththelackofstrongencryptionandtrafcleak-agescaneaseonlinetrackingactivitiesperformedbyin-pathmiddleboxes(e.
g.
,commercialWiFiAPsharvestinguser'sdata)andbysurveillanceagencies.
In-pathproxiesandtrafcmanipulation:16%oftheanalyzedVPNappsdeploynon-transparentproxiesthatmodifyuser'sHTTPtrafcbyinjectingandremovingheadersorperformingtechniquessuchasimagetranscod-ing.
However,theartifactsimplementedbyVPNappsgobeyondthetypicalfeaturespresentinHTTPproxies.
WeidentiedtwoVPNappsactivelyinjectingJavaScriptcodeonuser'strafcforadvertisementandtrackingpur-posesandoneofthemredirectse-commercetrafctoex-ternaladvertisingpartners.
TLSinterception:FouroftheanalyzedVPNappscom-promiseusers'root-storeandactivelyperformTLSinter-ceptionintheight.
Threeoftheseappsclaimprovidingtrafcaccelerationservicesandselectivelyintercepttraf-ctospeciconlineserviceslikesocialnetworks,bank-ing,e-commercesites,emailandIMservicesandanalyt-icsservices.
Ourresultsshowthat—inspiteofthepromisesforpri-vacy,securityandanonymitygivenbythemajorityofVPNapps—millionsofusersmaybeunawarelysubjecttopoorsecurityguaranteesandabusivepracticesinictedbyVPNapps.
However,thisstudyhasnotansweredseveralinter-estingresearchquestionssuchastrafcdiscrimination[86]andthedetectionofside-channelstoextractadditionalpri-vateinformationfromuser'sphones.
2.
ANDROID'SVPNPERMISSIONGoogleintroducednativeplatformsupportforVPNclientsthroughtheVPNServicebaseclassanditsas-sociatedBIND_VPN_SERVICEpermissioninAndroidversion4.
0[60].
Forsimplicity,wewillreferencetheBIND_VPN_SERVICEpermissionasthe"VPNpermis-sion".
VendorCustomPermissionCiscocom.
cisco.
anyconnect.
vpn.
android.
MODIFY_VPNJunipercom.
juniper.
permission.
JUNIPER_VPN_ACCESSSamsungandroid.
permission.
sec.
MDM_VPNKNOXandroid.
permission.
sec.
MDM_ENTERPRISE_VPNTable1:CustomVPNpermissionsforMDMapps.
TheBIND_VPN_SERVICEpermissionisapowerfulAndroidfeaturethatappdeveloperscanmisuseorabuse.
Itallowstherequestingapptointercept,manipulateandfor-wardalluser'strafctoaremoteproxyorVPNserveroftheirchoiceortoimplementproxiesinlocalhost[97].
Android'sVPNAPIexposesavirtualnetworkinterfacetotherequestingappand—ifthedevelopercongurescor-rectlytheroutingtables—routesallthedevice'strafctoit.
Likewise,eachwriteoperationtothevirtualinterfaceinjectsapacketjustlikeitwasreceivedfromtheexternalinterface.
AsforanyotherAndroidpermission,appdevel-opersmustexplicitlydeclareaccesstotheVPNpermissionintheapp'sAndroidManifestle[2]butAndroidlim-itsthecreationandownershipofthevirtualinterfacetoonlyoneappatagiventime.
Duetotheexceptionalsecurityandprivacyrisksofal-lowingthird-partyappstointerceptalluser'strafc,An-droidgeneratestwowarningstonotifyuserswheneveranappcreatesavirtualinterfaceusingtheVPNpermission:(i)asystemdialogseekingusersapprovaltocreateavirtualinterface,and(ii)asystem-generatednoticationthatin-formsusersaslongastheVPNinterfaceremainsactive[60].
However,averagemobileusersmaynotfullyunderstand,possiblyduetothelackoftechnicalbackground,theconse-quencesofallowingathird-partyapptoread,blockand/ormodifytheirtrafc.
CustomVPNpermissions:Android'snativeVPNsupporthasenabledproprietaryVPNsolutionsforenterpriseclientssuchasCiscoAnyConnect[5]andJuniperJunos[28]tech-nologies.
Enterprisesolutions,alsoknownasMobileDe-viceManagementsolutionsorMDM,implementtheirowntunnelingprotocolsontoponAndroid'sVPNpermissiontosecureandsimplifyremoteaccesstoenterpriseorprivatenetworks.
Samsung'sKNOXSDK[101]isadifferentincar-nationofproprietaryMDMsolutions.
Inthatcase,SamsungtakesadvantagefromitspositionasanAndroidOSvendortocompletelyreplaceAndroid'sVPNimplementationatthermwarelevelwiththeirownsolution.
Android'spermissionmodelallowsMDMproviderstosharetheirVPNtechnologieswithotherappsbydeningcustompermissions.
ThesearelistedinTable1.
There-questingappmustdeclaretheassociatedcustompermissiononitsmanifestandtheappprovidingtheproprietarytech-nologymustbealreadyinstalledonthedevice.
InthecaseofSamsung'sKNOX-enableddevices,theappdeveloperwish-ingtoincorporateanyKNOXfeatureinitsappmustrstenrollonSamsung'sKNOXprogramandthenrequestac-cesstotheproprietarySDK[29,45].
Asaresult,AndroidVPNappswithoutKNOXsupportmayoperateincorrectlyonmanySamsungdevices.
Thesecurityguaranteesthatap-plyfortheofcialVPNpermissionalsoapplyforcustomVPNpermissionsastheMDMsolutionisresponsibletore-questAndroid'sBIND_VPN_SERVICEpermission.
3.
DISCOVERINGVPNAPPSONGOOGLEPLAYThissectiondescribesourmethodforidentifyingandcharacterizingAndroidVPN-enabledappsonGooglePlay.
3.
1DetectionMethodIdentifyingVPN-enabledappsonGooglePlayisnotatrivialtask.
Thelistofpermissionsavailableonagivenapp'sGooglePlayproledoesnotnecessarilycontaintheuseoftheVPNpermissionbytheapp.
AppdeveloperscanrequesttheAndroidVPNpermissionsintheirappAndroidManifestleintwodifferentways:theycanrequesttheVPNpermissionwithinthescopeofthewholeapporrestrictitsusetoaspecicactivityorservice1usingtheandtagsrespectively.
Thissubtledifferencehasanimpactonanymethodaimingtode-tectVPN-enabledapps:whenadeveloperdeclarestheper-missionwithinthetag,theVPNpermissiondoesnotshowupinthelistofAndroidpermissionsavailableonGooglePlay.
Consequently,inordertocorrectlyidentifyVPN-enabledappsatscale—eitherthoseusingAndroid'sofcialpermissionoranyofthecustomVPNpermissionslistedinTable1—,wemustcrawlGooglePlaytodown-loadeachapp'sexecutableandthendecompileittoinspecttheirAndroidManifestleindetail.
Werelyonmultipletoolstofetcheachapp'smetadata(e.
g.
,appdescription,installs,developer,userreviewsandapprating)andtodownloadtheirexecutables.
Forfreeapps,weuseGooglePlayUnofcialPythonAPI[21]whereasforpaidapps,weuseRaccoonAPKDownloadertoobtainthebinariesafterpayingtheirrequiredfee[43].
Finally,afterhavingdownloadedeachapp'sexecutable,weuseApkTool2todecompile,extractandanalyzeeachapp'ssourcecodeandtheirAndroidManifestle.
Toincreaseourappcoverageandmaximizethenum-berofdetectedVPNapps,weimplementedaGooglePlaycrawlerthatusestwocomplementaryseeds.
First,weob-taintheappID(orpackagename)fromthetop100appsforfourGooglePlaycategorieslikelytocontainVPNandMDMapps:tools,communication,businessandproductiv-ity.
Second,weleverageGooglePlay'ssearchfeaturetondappscontainingVPN-relatedkeywordslike"vpn","virtualprivatenetwork","security","censorship","anonymity"or"privacy"intheirappdescription.
Afterwards,ourcrawlerfetcheseachapp'smetadataandexecutables.
Ourcrawlerfollowsabreadth-rst-searchapproachforanyotherappconsideredas"similar"byGooglePlayandforotherapps1Androidappscanbecomposedofmultipleactivities(i.
e.
,appcomponentsthatrunontheforegroundonasinglescreenandre-quireuserinteraction)andservices(i.
e.
,appcomponentsthatper-formlong-runningoperationsinthebackground)[3].
Permissionrequestscanbelimitedtospecicappcomponents.
2https://ibotpeaches.
github.
io/apktoolApppricingmodel#ofapps(N=283)#ofappsanalyzedin§5FreeVPNappswithFreeServices130130FreeVPNappswithPremiumServices15320Table2:NumberofVPNappsidentiedwithourdetectionmethod.
Figure1:EvolutionofVPN-enabledapps'availabilityonGooglePlay.
publishedbythesamedeveloper.
Intotal,thismethodhasallowedustosurvey1,488,811appsduringathreeweekpe-riodinSeptember2015.
Ourmethodhasallowedustoidentify283freeAndroidappsrequestingtheVPNpermissionintheirAndroidManifestles.
153offreeVPNappsrequiretheusertoperformin-apppurchasesinordertousetheironlineVPNservices.
Werefertosuchappsas"premiumVPNapps"andtheytypicallyofferweekly,monthly,quar-terlyandyearlysubscriptions.
Inthecaseofpaidapps,wereliedoninformationavailableontheappdescriptionassig-nalstoidentifypotentialpaidVPNapps.
ThisistheresultofourinabilitytopaythefeefordownloadingtheexecutablesofeachpaidapplistedonGooglePlay.
Thisapproachhasallowedustond10potentialVPNpaidapps.
However,af-terpayingtheirfeetodownloadtheirexecutables,onlyoneofthemactuallyrequestedtheVPNpermission.
Therefore,wedecidedtoexcludepaidVPNappsfromthisstudy.
Ourdynamicnetworkanalysis(presentedinSection5)coversthe130freeappsand20premiumVPNapps.
Un-fortunately,wecouldnotinspecttheentiretyofpremiumVPNappsasmostofthemarefullMDMsolutionswhichrequirededicatedITandcloudsupport.
Table2summarizesthescopeofourstaticanddynamicanalysis.
3.
2TheRiseofVPNAppsThissectionstudiesthepresenceofVPN-enabledappsavailablefordownloadonGooglePlayovertime.
GiventhatGooglePlaydoesnotreporttheactualreleasedateoftheappsbuttheirlastupdate,weusethedateoftheirrstcommentasaproxyfortheirreleasedate.
For9appswith-outanyuserreviewsasofthiswriting,wedeterminetheapproximatereleasedatebytheirlastupdate.
Figure1showsthesteadyincreaseofVPNapps'listedonGooglePlaysinceNovember2011(Android4.
0release).
NotethatouranalysisonlyconsidersappslistedonGooglePlayasofSeptember2015soitexcludespossibleVPNappsremovedfromGooglePlay.
Duringthe2-yearperiodthatspansbetweenNovember2011andNovember2013,thenumberofVPNappsincreasedten-fold.
AppCategory%ofApps(N=283)VPNClients67Enterprise10TrafcOptimizer4CommunicationTools3Trafclters2Trafclogger2Antivirus1Torclients1Other10Table3:ManualclassicationofVPNappsbytheirpurpose.
TheanalysisrevealsthatasmallgroupofMDMappslikeJuniper'sJunosPulseandAfaria[20]werealreadylistedonGooglePlayyearsbeforethereleaseofAndroidv4.
0(rep-resentedinthegraphwiththeverticalline).
Unfortunately,wecannotobtainthedeprecatedbinariesoftheseappsforfurtherinspectiontoreporthowtheyimplemented(ornot)theirVPNsolutionsbeforeAndroidprovidednativesupport.
Wespeculatethattheyhavereliedeitheronuserstomanu-allyentertheVPNserveronAndroid'ssystemsettingsoronuserswithrootedphones.
DuringthepreparationsforthenalmanuscriptonAu-gust5,2016,wenoticedthat49outof283analyzedVPNappswerenolongerlistedonGooglePlayeitherasare-sultofGoogle'svettingprocess,usercomplaints,orduetodeveloperdecisions.
3.
3VPNAppClassicationVPNappscanprovideawiderangeofservicestotheuser.
Unfortunately,GooglePlay'scategories(e.
g.
,toolsandgames)aretoobroadtocapturetheactualpurposeoftheapp.
Inordertoidentifytheiractualintendedfunctionality,twoco-authorsinspectedandlabeledeachVPNappmanuallyaccordingtotheirGooglePlayappdescriptioninto9cate-goriesthatwelistinTable3.
Incasethatanappadvertisesmorethanonefunctionality,wechoosethemostrelevantone.
Wefoundnodisagreementsinthelabelingprocess.
67%ofAndroidVPNappsclaimtoprovidetraditionalVPNservices(labeledhereas"VPNclients")includingen-hancedsecurityandprivacy,anti-surveillanceortunnelstoaccessgeo-lteredorcensoredcontent.
Notethatwecon-siderTorclients(e.
g.
,Orbot[38],GlobusVPN[62]andTorGuardVPNclient[56])asaseparatecategory.
Thesec-ondmostcommoncategoryisenterpriseMDMsolutions(10%ofapps)followedbytrafcoptimizationtools(e.
g.
,DashNet[9],4%ofapps)andcommunicationtools(3%ofapps)fortetheringorforcreatingmeshnetworksandVLANs(typicallyforonlinegaming[33]).
Antivirussoftwareapps(Qihoo360[42],Dr.
WebSecu-ritySpace[13]andTrendMicro'sMobileSecurity&An-tivirus[30])mayalsoleveragetheVPNpermissiontoper-formtrafcanalysis(e.
g.
,malwaredetection),toblockma-licioustrafcandtosecurelyforwarduser'strafcthroughtrustedserverswhenusersconnectthroughinsecureorques-tionableWiFinetworks.
OtherusesoftheVPNpermis-sionaretrafcltersandtrafcloggers(e.
g.
,NoRootFire-wall[34])andevenappsforsecuringonlinepayments(e.
g.
,FastSecurePayment[17]).
4.
STATICANALYSISInthissection,weanalyzethesourcecodeforeachVPNAndroidappusingstaticanalysis.
Inparticular,wereportonapplicationsrequestingsensitivepermissionanalysis,thepresenceoftrackinglibrariesinapp'sdecompiledsourcecodeandthepresenceofmalwareactivityaccordingtotheonlineantivirusaggregator,VirusTotal3.
4.
1PermissionAnalysisWeinvestigatehowVPN-enabledappsrequestotherAn-droidpermissionstoaccesssensitivesystemresources.
Weexcludenetwork-relatedpermissionslikeInternetaccesswhichareinherenttoanyVPNclient.
Figure2comparesthepermissionsrequestedbyVPN-enabledappswiththoserequestedbythetop-1,000freenon-VPNAndroidapps4,whichweincludedforreference.
Weusethemethod-to-permissionmappingprovidedbyAuetal.
[69]toinvestigatethesourcecodesegmentsin-vokingthemethodsprotectedbyeachAndroidpermission.
Forinstance,inthecaseofappsrequestingtheREAD_SMSpermission,weinvestigateapps'callstoassociatedmeth-odssuchaspreSendSmsWorker(amethodusedtosendSMSwhichinformstheuserabouttheintendedorwantedtext)andhandleSmsReceived(amethodthathandlesformatting-relatedaspectsinreceivedSMS)inordertode-terminetheactualuseofthepermissionbytheapp.
ThereareAndroidpermissionsthataremorecommononVPNappsthaninotherappcategories.
Forinstance,antivirusandMDMsolutionsrequestREAD_LOGSper-missiontoinspectotherapps'activities[2].
However,weobservethatstandardVPNclientslikeDroidVPN[12]andtigerVPN[54]alsorequestpermissiontoreadsys-temlogs.
Androiddocumentation[2]agsthispermis-sionashighlysensitiveasanyappdevelopermaycare-lesslymisuseAndroid'sloggingcapabilitiesand(uninten-tionally)exposepersonalinformation(includingpasswords)toanyotherappsrequestingit.
Similarly,antivirusappsrequestREAD_EXTERNAL_STORAGEpermissiontocheckthestoredlesforpossiblevirusandmalwareactivity.
ManyotherpermissionslistedinFigure2mayappearun-usualrequirementsforVPNapps.
However,VPNappsmayprovideadditionalandricherfeaturestotheirusersbeyondatypicalVPNtunnel.
Foreachcase,wemanuallycheckedthelegitimacyoftheserequestsbyinspectingtheAPIcallsex-ecutedbytheappsandcheckingthedescriptionforrelatedfunctionalitieswithoutndinganyevidencefordeliberateabuseofgrantedpermissions.
Forinstance,wefoundthatantivirusappsaswellasspywareVPNapps(whichwefur-therinvestigateinSection4.
3)requesttheREAD_SMSper-missiontoreadtextmessagesand,inthecaseofantivirusapps,toscanthemforpossiblemalwarepresence.
Similarly,appsrequestingREAD_CONTACTSincorporatefunctionsin3https://www.
virustotal.
com4AccordingtoGooglePlay'srankingasofMarch30,2016.
Figure2:DetailedcomparisonofAndroidpermissions(x-axis)requestedbyVPNappsandthetop-1,000non-VPNapps.
VPNAppsFree#TrackersPremiumFreeAllnon-VPNApps065%28%33%19%113%10%8%11%210%10%7%15%312%25%13%23%42%8%4%16%≥55%18%8%17%Table4:DistributionofthirdpartytrackersembeddedinVPNapps.
thelikesofblockingtextandcallsfromspecicphonenum-bersorsharingfeaturesthroughSMSoremail.
4.
2TrackingLibrariesinVPNAppsWiththehelpofApkTool,weexaminethepresenceofembeddedthird-partylibraries(intheformofexternaljarles)foranalytics,trackingoradvertisingpurposesinthesourcecodeofeachVPN-enabledapp.
Inordertoidentifywhichlibrariesareassociatedwithtrackingservices,weusethemanuallycuratedlistof127trackingandadvertisingli-brariescompiledbySeneviratneetal.
[103].
Therefore,weconsiderourresultsasalowerboundofthird-partytrackinglibrariespresenceinVPNapps.
Table4comparesthenumberoftrackersusedbyVPN-enabledappswiththepresenceoftrackersinthereferencesetof1,000freenon-VPNapps.
67%oftheVPNappsem-bedatleastonethird-partytrackinglibraryintheirsourcecode.
TheuseoftrackinglibrariesinVPNappsissignif-icantlylowerthaninthetop1,000non-VPNappswithanalmost81%ofthelatterhavingatleastoneembeddedtrack-inglibrary.
Thefactthat65%ofthepremiumVPNappsdonothaveanytrackinglibraryembedded(asopposedtoonly28%ofthefreeVPNapps)suggeststhatpremiumappsdonotrelyasmuchasfreeappsonrevenuesfromadvertisingandanalyticsservices.
SincemostVPNappsintendtoprovideonlineanonymity(Section3.
3),thelowerpresenceoftrackinglibrariesisac-tuallymeaningful.
However,weidentiedthepresenceofatleastonetrackinglibraryin75%ofthefreeVPNappsclaim-ingtoprotectusers'privacy.
8%ofallVPNappshavemorethanve.
Inparticular,twoVPNapps(FlashFreeVPN[18]andBetternet[19]),whichcombinedhavemorethan6M#AppIDClassRating#InstallsAV-rank1OkVpn[35]Prem.
4.
21K242EasyVpn[15]Prem.
4.
050K223SuperVPN[52]Free3.
910K134Betternet[19]Free4.
35M135CrossVpn[7]Free4.
2100K116ArchieVPN[4]Free4.
310K107HatVPN[22]Free4.
05K108sFlyNetworkBooster[48]Prem.
4.
31K109OneClickVPN[36]Free4.
31M610FastSecurePayment[17]Prem.
4.
15K5Table5:VPNAppswithaVirusTotalAV-rank≥5.
installs,havethehighestnumberofembeddedtrackingli-braries:11and14respectively.
Figure3ranksthetop-25populartrackersinallanalyzedVPNapps.
GoogleAdsandGoogleAnalyticsarethemostpopulartrackersamongourcorpusofVPNapps.
Acloserexaminationatthelong-tailofthedistributionrevealshow-everthattheleastpopularthird-partytrackinglibrariesinourreferencesetof1000appsareinsteadmorecommoninVPNapps.
Forinstance,VPNappslikeSurfEasy[53]andIp-ShieldVPN[27]integratelibrarieslikeNativeX5andAppood6formonetizingtheirappswithtargetedads.
4.
3MalwareAnalysisMalwarecomponentsmaybedesignedtocircumventaspecicantivirus(AV)tool[113].
Asaresult,itisimperativetorelyuponmultipleAVscannersanddatasetstoeffectivelyidentifythepresenceofmalwareonmobileVPNapps.
WeleveragethecapabilitiesofferedbyVirusTotal'spublicAPItoautomatizeourmalwaredetectionprocess.
VirusTotalisanonlinesolutionwhichaggregatesthescanningcapabili-tiesprovidedbymorethan100AVtools,scanningenginesanddatasets.
Ithasbeencommonlyusedintheacademicliteraturetodetectmaliciousapps,executables,softwareanddomains[84,68,85].
Aftercompletingthescanningprocessforagivenapp,VirusTotalgeneratesareportthatindicateswhichofthepar-ticipatingAVscanningtoolsdetectedanymalwareactivityintheappandthecorrespondingmalwaresignature(ifany).
Giventhatasinglescanningtoolmayproducefalseposi-5http://www.
nativex.
com6http://www.
appood.
comFigure3:Top25third-partytrackinglibraries(x-axis)inVPNandnon-VPNapps.
tives[113,57],werelyonthe"AV-rank"metric(i.
e.
,thenumberofafliatedAVtoolsthatidentiedanymalwareactivity)toreasonaboutthemaliciousnessofanapp.
ThestudybyArpetal.
[68]consideredan"AV-Rank"≥2asavalidmetricformalwarepresenceonmobileapps.
Instead,weincreasethe'AV-rank"toavalue≥5tosetamorecon-servativethresholdformalwaredetection.
38%oftheanalyzedVPNappshaveatleastonepositivemalwarereportaccordingtoVirusTotalbutonly4%ofthemhavean"AV-rank"higherthan5.
Table5ranksthetop-10VPNappsbytheirAV-rank.
Foreachapp,weincludetheirGooglePlayratingandthenumberofinstallforrefer-ence.
Themalwaresignaturesforthoseappscorrespondto5differenttypeofmalware:Adware(43%),Trojan(29%),Malvertising(17%),Riskware(6%)andSpyware(5%).
OkVpnandEasyVpn,bothimplementedbythesameappdeveloper,incorporateAdwareontheirsourcecodeandbothofthemrequesttheintrusiveSYSTEM_ALERT_WINDOWpermissionwhichallowstherequestingapptodrawwin-dowalerts(invariousformsasinthecaseunwantedads)ontopofanyotheractiveapp.
sFlyNetworkBooster,traf-coptimizationVPNapp,providesaccelerated,worldwidecontentaccessthroughitsdynamicroutingandcloud-basedacceleratingsystem.
ItincorporatesSpywareandrequeststheprivacysensitiveREAD_SMSandSEND_SMSpermis-sionstoreadusers'textmessagesand,potentially,sendtextmessagestopremium-ratenumbers.
OkVpn,EasyVPN,andsFlyNetworkBoosterarethreeofthe49VPNappsthatwerenotlistedonGooglePlayasofAugust2016(Section3.
2).
Accordingtothenumberofinstallationsoftheseapps,millionsofusersappeartotrustVPNappsdespitetheirpo-tentialmaliciousness.
Infact,thehighpresenceofmalwareactivityinVPNappsthatouranalysishasrevealedisworri-somegiventheabilitythattheseappsalreadyhavetoinspectandanalyzealluser'strafcwiththeVPNpermission.
4.
4UserAwarenessAnalysisTheprevioussubsectionidentiedinstancesofVPNappswithmalwarepresence.
Thissectiontakesauser-centricper-spectivetounderstandiftheypubliclyreportontheirGooglePlayreviewsanyoftheprivacyandsecurityissueswhichcouldbepresentonVPNapps.
OuranalysisrevealsthatVPNappsreceivehighuserrat-ings:37%oftheVPNappshavemorethan500Kinstallsand25%ofthemhaveatleasta4-starratingasshowninFigure4.
WecannotdistinguishwhetherGooglePlay'spos-itiveinstallsandreviewsareorganicoriftheywereacquiredusingpaidservicestopromoteappinstalls7.
7e.
g.
,http://liftoff.
ioFigure4:Distributionofappratingvs.
installsperVPNapp.
ComplaintCategory%ofnegativereviews(N=4,593)Bugs&batterylife30%Abusivepermissions0.
5%Privacyconcerns0.
3%Securityconcerns0.
4%Malware/fraudreports0.
2%Table6:ClassicationofnegativeuserreviewsfortheVPNappswithmorethan1MinstallsininGooglePlay.
TobetterunderstandwhetherrealVPNuserspubliclyre-portanysecurityorprivacyconcernsafterinstallingandus-ingagivenVPNapp,weanalyze(withmanualsupervision)4,593appreviewswithlowratings(i.
e.
,oneandtwostars)forthe49VPNappswithmorethan1millioninstalls.
Ourreasoningtofocusouranalysissolelyonnegativeappre-viewsisthatusersreportingconcerningsecurity-relatedis-sueswillalsoprovidealowapprating.
Weclassifyappreviewsinto5categories(listedinTa-ble6)thatcoverfromperformanceconcernsandbugstoprivacyandsecurityconcerns.
Weexcludefromouranal-ysisanyreviewsrelatedwithusabilityconcerns.
30%ofusercomplaintsreportbugs,crashesandtheapp'snegativeimpactonbattery-life.
Onlylessthan1%ofthenegativere-viewsrelatetosecurityandprivacyconcerns,includingtheuseofabusiveordubiouspermissionrequestsandfraudulentactivity,forthe9appslistedinTable7.
Fiveoftheappsre-portedaspotentiallymaliciousbyappusersarealsoaggedassuchbyVirusTotal(summarizedinTable5)duetomal-wareactivity(e.
g.
,EasyVPN)andtrojans(e.
g.
,CrossVpn).
Summaryandtakeaways.
TheincreasingnumberofpopularVPNappsavailableonGooglePlayandtheapparentlackofuser-awarenessoftheAppClassRating#Reviews#InstallsAV-positiveEasyOvpn[14]Free4.
284,4005MVPNFree[58]Prem.
4.
015,7881MTigervpns[55]Free4.
136,6171MDNSet[11]Prem.
4.
021,699500KCMDataManager[6]Prem.
4.
311,0051MRocketVPN[44]Free4.
211,625500KGlobusVPN[62]Free4.
314,273500KSpotuxVPN[50]Free4.
014,095500KCyberGhost[8]Free4.
013,689500KTable7:ListofVPNapps,with500Kormorenumberofinstalls,consideredasmaliciousorintrusivebyusersinGooglePlayreviewsandbyVirusTotal(AV-positivecolumnwithAV-Rank≥1).
securityandprivacyrisksassociatedwiththeVPNpermis-sionindicatetheurgetoanalyzeindepththisunexploredtypeofmobileapps.
TheaveragemobileuserratesVPNappspositivelyevenwhentheyhavemalwarepresence.
Ac-cordingtoourstudy,onlyahandfulofusershasraisedanytypeofsecurityandprivacyconcernintheirreviews.
InSec-tion5wewillcomplementtheinsightsprovidedbyourstaticanalysiswithacomprehensivesetofactiveteststhataimtorevealbehavioralaspectsoftheVPNappsduringruntimeatthenetworklevel.
5.
NETWORKMEASUREMENTSInthissection,weinvestigatetheruntimeandnetworkbehaviorof150VPNapps.
InparticularweareinterestedinunderstandinghowVPNappshandleuser'strafc.
Westructureouranalysistoilluminatethefollowingas-pects:(i)thetrafcinterceptionmechanismsimplementedbyeachapp(i.
e.
,whethertheappusestheVPNpermis-siontoimplementlocalhostproxiesortoforwardthetraf-cthroughaterminatingend-pointoranotherpeer);(ii)thetunnelingprotocolsimplementedbyeachappaswellasdeveloper-inducedmiscongurationswhichmaycausetraf-cleaks;(iii)thepresenceofproxiesandtrafcmanipula-tiontechniquessuchasad-blocking,JavaScriptinjectionandtrafc-redirection;and(iv)identifyanypossibleoccurrenceofTLSinterception.
Weuseadedicatedtestbed,depictedinFigure5,com-posedofasmartphonethatconnectstotheInternetviaacomputerconguredasaWiFiaccesspoint(AP)withdual-stacksupport.
TheWiFiAPrunstcpdumptointerceptallthetrafcbeingtransmittedbetweenthemobiledeviceandtheInternet.
ThisallowsustoobservethetrafcgeneratedbyeachVPNappasseenbyanin-pathobserver.
Wetestindividuallyeachoneofthe150VPNappsunderconsideration.
Wecouldnotfullyautomateourmeasure-menteffortsasoneofthegoalsofourstudyistounderstandandtesttheoptionsofferedbyeachVPNappintheirGUI(e.
g.
,egresspointdiversityandsupportedVPNprotocols).
Priortoeachtest,wealsoensurethatthepreviousappweexperimentedwithhasnotmodiedtherootcerticatestoreandwerebootthedevicetoenforcethecompleterenewalofthevirtualinterface.
Werunasetofpurpose-builtscripts(notonlybetweenthedeviceandaserverunderourcontrolbutalsotopop-Figure5:Ourtestbedandthe3possibleinterceptionandforwardingmodesforVPNapps:(1)localinterceptionasatransparentproxy,(2)cloud-basedforwardingthroughaVPNserver,and(3)trafcforwardingthroughapartici-patingnode(peerforwarding)orotherparticipatingnodes.
OurinstrumentedWiFiaccesspoint(AP)hastheabilitytoobserveallthetrafcgeneratedbyeachVPNapp.
ularwebsites)andtheICSINetalyzrtoolforAndroid[89]togeneratetrafcandtoanalyzethedifferentnetwork-andtrafc-relatedaspectsofVPNapps.
Allthetestswerecon-ductedoveraproxy-freelinkatData61/CSIRO(Australia),thustheobservedtrafcmanipulationsandmiddleboxescanonlybeattributedtotheVPNappsandtheironlineinfras-tructure.
Eachsubsectionwilldescribeindetailthetestsusedforeachaforementionedanalysis.
Thenumberofteststhatwerunperappvarieswiththecongurabilityoftheapp(e.
g.
,whethertheusercanselectaserverinagivencountry)andthediversityofIPaddressesthatweobserve.
Twopeo-pleexecutedatotalof5,340testsmanuallyforthreemonthsandconnectedtoallend-pointsmentionedintheGUIofagivenVPNapp.
5.
1InterceptionandForwardingMecha-nismsAppdeveloperscanleveragetheVPNpermissiontoim-plementlocalhostproxies(Case1inFigure5)ortofor-warduser'strafctoanexternalmachine.
Inthelattercase,theegresspointcouldbeeitheraremoteserverhostedinthecloud(Case2)oranotherparticipatingnodeinapeer-forwardingfashion(Case3).
InthisanalysisweinvestigatetheforwardingmechanismimplementedbyeachVPNappaccordingtothepossiblescenarios.
OurdetectionmethodreliesontheclientopeningTCPconnectionstoaremotedual-stackserverunderourcontrolafterenablingthetrafcinterceptionmodeforeachapp.
OurserverrecordsthepublicIPaddressforeachTCPconnec-tion(i.
e.
,theegresspoint)andobtainsitsassociatedcom-pletedomainname(FQDN).
WeleverageMaxMind'sGeoIPservices[92]toidentifythegeographicallocationoftheegresspoint.
Ourgeo-locationanalysisisthereforelimitedtoMaxMind'saccuracy[72,96].
WealsouseSpamhausPolicyBlockList(PBL)[49]recordstoidentifywhichIPaddressesareassociatedwithresidentialISPs[65].
NotethatSpamhaus'PBLrecordsarepopulateddirectlybyISPstoimprovespamdetectionsotheycanbeconsideredasanaccurateproxytoidentifyIPaddressesassociatedwithresi-dentialend-users.
Afterintroducingthedifferentdatasetsthatwewilllever-agetoilluminatetheforwardingmechanismsforeachVPNapp,wenowdeneeachforwardingmechanismasdepictedinFigure5.
Anappperformslocalinterceptionifitoperatesasalocalhostproxywithoutforwardinguser'strafctoater-minatingVPNserver(i.
e.
,iftheobservedpublicIPaddressforalltheTCPconnectionsgeneratedbyourscriptmatchesthepublicIPaddressofourexperimentalsetup).
Otherwise,theVPNappimplementsexternalforwarding.
Forthelattercase,wedenetwosub-categories:cloudforwardingiftheVPNappusesacloudprovidertohosttheir"terminating"VPNservers;andpeerforwardingiftheappleveragesotherparticipatingusersasegresspoints.
Local-Interception.
Only4%oftheanalyzedVPNappsusetheVPNpermissiontointerceptuser'strafcinlocalhostortoimplementtransparentlocalhostproxies[97].
TheseVPNappsincludeantivirussoftware(e.
g.
,Dr.
WebSecuritySpace),tcpdump-liketoolsthatoperateonuser-space(e.
g.
,tPacketCapture)andprivacyandconnectionrewallsthatal-lowuserstogenerateconnectionlogsortoblocktrafcattheow-orapp-level(e.
g.
,NoRootFirewall).
GiventhatthetrafcisinterceptedlocallyandnotforwardedthroughaVPNtunnel,ourWiFiAPcanidentifyside-connectionsgen-eratedbysuchapps.
Notably,weobservedthatDr.
WebSe-curitySpace(anAVapp)opensside-channelHTTPSowstodrweb.
comandto1lt.
su.
8Todeterminewhethertheyareusedtoforwardacopyofuser'strafc,wecorrelatetheexogenousowsizestotheowsize(9KB)toourlocalwebserver.
Weobservethatfor11KBand4KBoftrafcto1lt.
suanddrweb.
com,respectively.
Unfortunately,giventhattheseowsareencrypted,wecouldnotinvesti-gatetheirpayloadtoidentifywhethertheyarelegitimateornot.
Fortheremainingappsimplementinglocalintercep-tion,weonlyobservetrafcassociatedwiththeirembeddedthird-partylibrariesforanalyticsandadvertisementservices.
Externalforwarding.
Figure6showsthecumulativedistri-butionofthenumberofcountrieshostingegresspointsfortheremaining96%ofVPNapps.
WeobserveasignicantdifferenceinthegeographicalcoveragebetweenfreeVPNappsandpremiumVPNapps.
ThedistributionsuggeststhatVPNserversforpremiumVPNappsaremorescatteredaroundtheglobethanfortheirentirelyfreecounterparts:80%ofthefreeappshavetheirserversinlessthan6dif-ferentcountries,while63%ofthepremiumVPNappshaveegresspointsinmorethan6countries.
Infact,atleast20%ofpremiumVPNappshavetheirserverslocatedinmorethan50differentcountries.
TheUShostsegresspointsfor77%offreeand90%ofpremiumVPNappsrespectively.
FranceandtheNether-landsareinsecondandthirdpositionforfreeVPN-apps(31%and27%respectively)whereastheU.
KandGermany8WehavenoticedthatDr.
WebappendsthepublicIPaddressofourinstitutionasaprextothedomain1lt.
su.
Figure6:DistributionofthenumberofcountriesperVPNapp.
HostingProviderFreeApps(N=130)#RecordedIPsDigitalOcean13%74TimeWarnerCableInternet6%8AmazonAWS6%10JSCER-TelecomHolding6%8SaudiTelecomComp.
JSC2%3HostingProviderPrem.
Apps(N=20)#RecordedIPsLeaseweb20%10Reliablehosting10%505AstuteHosting10%5DigitalOcean10%2IP-OnlyNetworksAB5%3Table8:Top5VPNhostinginfrastructures(byASN)usedbyfreeVPNappsandpremiumVPNapps.
aresecondandthirdforpremiumapps(85%and80%re-spectively)9.
Notably,thetop3countriescontributeto41%and52%ofthetotalnumberofVPNend-pointsforfreeandforpremiumVPNappsrespectively.
AsignicantfractionofVPNappsconcentratealloftheiregresspointsinasinglecountry:16%offreeVPNappslo-catealloftheirend-pointsconcentratedintheU.
S.
,whereas10%ofthepremiumVPNappshavealltheiregresspointsconcentratedinTheNetherlands.
TheotherextremeistheVPNappHideMyAss[23]whichprovidesterminatingVPNserversvirtuallyinalmosteverycountryintheworld(209countries/governmentsaccordingtoMaxMind'sgeolocation).
IfwelookattherankofhostingprovidersacrossVPNapps,weobservethatDigitalOcean10(anAmericancompany)andLeaseweb11(aDutchcompany)arethemostcommonprovidersforfreeandpremiumVPNappsrespectively.
Table8showsthetop5hostingprovidersbythenumberofVPNappsactivelyusingtheirservices.
PeerforwardingenablesVPNappstoincreasethenum-berofegresspointspercountrywhilereducingthecostsofmaintaininganonlinehostinginfrastructure.
12WeattempttoidentifyappsimplementingpeerforwardingfromthesetofVPNappswithpublicIPaddresseslabeledasresidentialIPsbySpamhausPBL.
However,conductingthisclassica-tionproveschallenging(andpronetoerrors)asVPNser-vicescandeployVPNserversinresidentialISPs.
This,un-9SinceVPNappscanhaveend-pointsinmultiplecountriestheper-centagesdonotaddupto100%.
10https://www.
digitalocean.
com11https://www.
leaseweb.
com12Forreference,thecostpermonthofthehostingproviderscanrangefrom5USD/month(DigitalOcean)toalmost200USD/-month(AstuteHosting).
AppClass#ASsResidentialAS(%)ExogenousTrafcOpenGate[37]Free5470%VPNGate[59]Free4060%VyprVPN[63]Free250%OneClickVPN[36]Free5753%Tigervpns[55]Free616%StrongVPN[51]Prem.
5914%Hola[24]Free415%HideMyAss[23]Prem.
1347%PrivateWiFi[41]Free307%VPNSecure[61]Prem.
442%Table9:VPNappswithegresspointsinresidentialISPs.
Thelastcolumnindicateswhetherwehaveobservedanypossibleexogenousowsforsuchapps.
fortunately,limitsourabilitytomakeacleardistinctionbe-tweenVPNappsimplementingcloud-andpeer-forwarding,orevenhybridapproaches.
6%ofthefreeVPNappsand15%ofthepremiumVPNappsrelaytrafcthroughresidentialISPs.
However,duetotheaforementionedchallenges,insteadofattemptingtoclas-sifyeachVPNappinthesecategories,wereportinTable9thepercentageofASesforwhichweidentiedaresiden-tialegresspointandthetotalnumberofASesforeachVPNappforreference.
Outoftheseapps,onlyHolaconrmsitscommunity-powerednature(P2P)onitswebsite.
WeinspectthepacketscapturedbyourWiFiAPtoiden-tifythepresenceofexogenousowswhichmayhavebeenforwardedthroughourdeviceinapeer-to-peerfashionbytheVPNengineforotherparticipatingusers.
Whilerun-ningHideMyAssweobservedtrafcgoingtoJPMorganandLinkedIn.
Noneofthesedomainsseemtobeassoci-atedwithanyofthethird-partylibrariesusedbyHideMyAssapp.
Unfortunately,wecannotentirelyconrmtheoriginoftheseowstoassesswhetherornottheyareendogenoustotheappasourVPNsessionmayhavenotlastedlongenough13tocapturetrafcfromotherparticipatingusers.
InthecaseofTigervpns,wealsoidentiedowstodo-mainsthatnolongerexist(e.
g.
,formaxhane.
comandqudosteam.
com,DNSlookupreturnedNXDOMAINandSERFAIL,respectively.
).
Nevertheless,themerepossibilityofVPNappsfollowingapeerforwardingmodelraisesupsomeintriguingquestionsabouttheiroperationaltransparencyandthesecurityguaran-teeswhenforwardingtrafcthrough(oronbehalfof)otherparticipatingdevices,notnecessarilytrustworthy.
5.
2VPNProtocolsandTrafcLeaksIdeally,thetrafcforwardedthroughtheVPNtunnelmustbeopaquetoanin-pathobserver(e.
g.
,Internetserviceprovider,commercialWiFiAPsandsurveillanceagencies).
However,thereisawiderangeoftunnelingprotocols,eachwithdifferentsecurityguarantees,thatcanbeusedbyappdeveloperstoforwardtrafcoutofthedevice:fromsecureIPSectunnelstobasicTCPtunnelswithoutanyencryption.
Inadditiontoinsecuretunnelingprotocols,developer-inducedmiscongurationsanderrorsmayalsoundermine13Foreachend-point,asessionlasts180seconds.
ProtocolFreeAppsPremiumAppsOpenVPN14%20%L2TP/IPSec5%0%SOCKS4%0%UnidentiedUDP:800%10%TLS(TCP:443)15%10%DTLS(UDP:443)13%25%Otherports30%25%Unencrypted19%10%Table10:VPNtunnelingprotocolsobservedbyourWiFiAPfortheanalyzedVPNapps.
user'sprivacyandsecurity.
VPNappdevelopersmustex-plicitlyforwardIPv6trafcandprovidetheDNSsettingsatthetimeofcreatingthevirtualinterfaceprogrammatically.
Ifnotdonecarefully,DNSandIPv6trafcmaynotbefor-wardedthroughthevirtualinterface[95].
Inparticular,DNSleakagecanrevealuser'snetworkingactivityandinterests.
TheVPNAPIalsoallowsappdeveloperstooverwriteuser'sDNSresolverwithoneoftheirchoice.
Alltheseartifactscanbecomeaseriousharmforuserstry-ingtocircumventsurveillanceorseekingonlineanonymitybyusingVPNapps.
ToinvestigatethosecrucialaspectsofVPNapps,werunascriptthatperformscraftedHTTPre-quests(bothoverIPv4andIPv6)aswellasDNSlookupstoourdual-stackserverunderourcontrol.
Inthissection,weanalyzethepcapscapturedbyourin-pathWiFiAPtoinvestigatethepresenceoftunnelswithoutencryptioninthewild(i.
e.
,weconsideratunnelimplementationasunen-cryptedifthepayloadofourcustomHTTPrequestsisseenintheclearbyourWiFiAP)andtoidentifypotentialIPv6andDNSleaks.
Weleveragethecomplementaryfeaturesprovidedbyapcapparser[40]andBro'scomprehensiveprotocolanalyzers(whichprovidesupporttoidentifysometunnelingtechnologies)[94]toinspectindetailthetrafccollectedforeachapp.
VPNTunnelImplementations.
Table10showstheVPNtunnelingprotocolsthatweidentiedinthepcaptracesgath-eredbyourdual-stackWiFiAP.
Asmentionedearlier,werelyonBro'ssuiteofprotocolparserstoidentifytheac-tualprotocolusedbyeachVPNapps.
Unfortunately,BroonlyprovidesfullsupportforOpenVPN,L2TP/IPSecandSOCKStunnels.
Fortheremainingcases,wecouldnotiden-tifytheirapplication-layerprotocol.
Instead,wereportthetransport-layerprotocolandthedestinationportinuse.
Iden-tifyingtheactualprotocolwouldhaverequiredustodecryptthechanneltoinspectthepayload.
Table10reportsthedifferenttunnelingprotocolsthatourmethodallowedustoidentify.
WeobservethatOpenVPNisthemostpopulartunnelingtechnologybothforfreeandpremiumapps(14%and20%respectively).
However,manyVPNappsalsousesometunnelingtechnologyoverTLSandDTLS[99].
Ofparticularconcernarethe19%and10%offreeandpremiumappsusingbasicTCPtunnels(alsoknownas"portforwarders")andinsecureHTTPtunnels[75].
AsourWiFiAP,anyin-pathmiddleboxcouldinspectthepay-loadforthoseappsintheclear.
Therefore,theVPNappsus-ingtunnelingprotocolswithoutencryptionarenotprotect-ingtheiruser-basefromonlinesurveillanceandWiFiAPsharvestinguser'sdata.
IPv6andDNSleaks.
Weobservethat84%oftheanalyzedVPNappsdonotrouteIPv6trafcthroughtheVPNtun-nel.
Moreover,66%oftheVPNappsdonotforwardDNStrafcthroughtheVPNtunnelsoanyin-pathobservercanmonitortheDNSnetworkingactivityoftheuser.
IPv6andDNSleakscaneaseusermonitoringandcensorship.
Conse-quently,VPNappslikeHideMyAssandVPNSecurewhichclaimtoprovidesecurityandanonymityarenoteffectiveagainstsurveillanceandmaliciousagents.
Trafcleakscanbetheresultofintentionaldesigndecisions,lackofIPv6supportorevensomedeveloper-inducederrorswhencong-uringtheroutingparametersoftheVPNapp.
Unfortunately,wecouldnotidentifytherootcausefortheobservedleaks.
DNSredirection.
ForeachoneoftheDNSlookupsthatweperform,wealsocheckwhethertheIPaddressoftheDNSresolvermatchestheoneofourconguredresolver'sIP.
No-tably,55%ofthefreeapps(and60%ofpremiumapps)redi-rectuser'sDNSqueriestoGoogleDNSwhereas7%offreeand10%ofpremiumVPNappsforwardDNStrafctotheirownDNSresolvers.
Inthelattercase,usersmaybevulner-abletocontentltersandotherDNSartifactsimplementedbytheDNSresolversuchastrafc-redirection[111].
WehavenotfurtherinvestigatedthepresenceoftrafcblockageorredirectionmechanismsattheDNSlevel.
5.
3TrafcManipulationIn-pathproxiesallowVPNservicestogaincontroloveruserstrafcandtomanipulatetrafconthey[109,110,98].
Moreover,manyproxyfeaturescanprovideaneco-nomicbenetforISPsandnetworkprovidersasinthecaseofHTTPheaderinjection[108]ortrafcredirectionforad-vertisingpurposes[111].
Weleveragethecomprehensivenetworktroubleshoot-ingtoolNetalyzrforAndroidtoidentifyin-pathow-terminatingproxiesattheTCPleveland,inthecaseofHTTPproxies,howtheyinterferewithuser'strafc.
Inanutshell,NetalyzrcontrolsbothclientandserversideandcraftspacketsandHTTPrequestsinawaythatwouldallowidentifyingnon-transparentproxiesalongthepath[110].
WereferthereadertoNetalyzr-relatedbibliographyforfurtherimplementationdetails[89,110,109].
WeextendtheinsightsprovidedbytheNetalyzrtoolwithcustom-builtteststhatwillallowustoidentifyVPNappsimplementingtechniquessuchasad-blocking,JavaScript-injectionforadvertisingandanalyticspurposes[98,80],andtrafc-redirection(i.
e.
,redirectinguserstrafctothirdpartyadvertisingpartners).
Inparticular,weusetwotechniquestoidentifysuchproxymanipulations:First,weinvestigatedo-mainmismatchesbetweentheDNSrequestandtheserviceultimatelydeliveringthecontentusingreverseDNS[111].
Second,weinvestigatecontentmodicationsforaweb-sitecompletelyunderourcontrol,sevene-commercewebsites(alibaba.
com,ebay.
com,target.
com,bestbuy.
com,overstock.
com,newegg.
com,andmacys.
com)andforthetop-30websitesintheUS,China,Figure7:Distributionofin-pathTCPproxydeploymentperport.
andEuropeaccordingtoAlexa'srank[1].
Aswedemon-strateinoneofourpreviousresearchefforts,theJavaScriptcodefortwoormoresimultaneouslyaccessedDOMtrees'elements(e.
g.
,ads)belongingtothesamewebsiteremainidenticaldespitenoticeabledifferencesintheDOMtreeel-ements[82].
Thisfeaturepresentintoday'swebsitesallowsustoidentifypossibleJavaScriptinjectionbycomparingtheDOMtreesforallselectedwebsitesbeforeandaftertestingeachVPNapp.
WeuseSelendroid[47]tofetchtherenderedHTMLsourceandextracttheJavaScriptaswellastheDOMtreesforeachsite.
In-pathProxies.
TheNetalyzrtestsfailedsystematicallyfor34%oftheanalyzedVPNapps.
Unfortunately,wedonothaveenoughinformationtoexplainifsuchfailuresarecausedbyVPNappbehavior,appbugsoriftheyaretheresultoftrafcpoliciesimplementedbytheVPNproviderasNetalyzrgeneratestrafcresemblingBitTorrentwhichmaybeblockedbytheVPNprovider.
Weacknowledgeitasalimitationofourteststodetermineproxiesin34%oftheanalyzedVPNapps.
Fortheremaining66%ofVPNapps,Netalyzrresultsre-vealedthepresenceofow-terminatingproxiesformultipleTCPportsasshowninFigure7.
Accordingtothegure,foreveryportwestudy,in-pathproxiesaremorecommononpremiumVPNappsthanintheirfreecounterpart.
Wein-spectappdescriptionsonGooglePlaystoreandobservethatonly18%oftheanalyzed66%appsprovidesuchproxyingaspartoftheirstatedpurpose.
Therestoftheappsimple-mentproxyingasadditionalfunctionality.
Nevertheless,wedetectedthepresenceofgeneral-purposeproxies(i.
e.
,prox-ieslisteninginalltheportstested)in8%and15%offreeandpremiumVPNappsrespectively.
GiventhatfreeVPNappsmayimplementpeerforwardingtoredirectuser'straf-candthelowernumberoffreeVPNappswithpremiumservicesthatweactivelyanalyzed,in-pathmiddleboxesandproxiesmaybelesscommoninsuchscenarios.
In-pathproxiesmayhaveadditionalnegativeeffectsonuser'strafcwhicharebeyondthescopeofthisstudy.
Manyofthemmayhavetheirownparticularorincompleteinter-pretationoftransport-layerprotocols[109].
InthecaseofHTTPproxies,Netalyzrtestrevealedthat47%and55%offreeandpremiumVPNappsactivelymodifyHTTPtrafcbydefault.
Someproxyartifactsmayhaveanegativeimpactondatadelityanduser'sbrowsingexperienceasinthecaseoftechniqueslikenon-HTTPtrafcltersoverportTCP:80(15%ofVPNapps),HTTPbodyorheadermanipulationsWebsiteInputPointPartnerNetwork(clickevent)Referralalibaba.
comanchorfree.
us/rdr.
phphttp://www.
dpbolvw.
net/click-7772790-12173149-1427959067000NAebay.
comanchorfree.
us/rdr.
phphttp://api.
viglink.
com/api/clickkey=4372c7dabb08e4e38d97c4793cf6edb3anchorfree.
us/contentdiscovery2Table11:HotspotShieldredirectsusertrafctoalibaba.
comandebay.
comthroughitspartnernetworksConversantMediaandViglinkrespectively.
Inthecaseoftarget.
com,bestbuy.
com,overstock.
com,newegg.
comandmacys.
comweobservedre-directionstoConversantMedia.
(14%ofVPNapps),andimagetranscoding(4%ofVPNapps).
Ad-BlockingandTracker-Blocking.
TwooftheanalyzedVPNappsactivelyblockadsandanalyticstrafcbydefaultonourtestedwebsites:SecureWirelessandF-SecureFree-domeVPN.
Theappsdidnotexplicitlymentionad-blockingfeatureintheGooglePlaystorelistings14.
Ananalysisofthedecompiledsourcecode,usingApkTool,revealedthatF-SecureFreedomeVPNappblocksanytrafccomingfromapre-denedlistofdomainsassociatedwithwebandmo-biletracking[16]includingGoogleAds,DoubleClick,andotherpopulartagging/analyticsservicessuchasGoogleTagandcomScore.
However,blacklist-basedadblockingmayaffectthefunctionalityoftheWebpagesandimpairsuserexperience[82,93].
Specically,F-SecureFreedomeVPNblocksJavaScriptcodeassociatedwithnytimes.
com'sevent"TaggingServices"which,asaresult,preventsuseraccessandinteractionwithembeddedrelevantvideocon-tent[82].
JavaScriptInjection.
WeidentiedtwofreeVPNapps(VPNServicesHotspotShield[26]byAnchorFreeandWiFiProtectorVPN[64])activelyinjectingJavaScriptcodesus-ingiframesforadvertisingandtrackingpurposes.
Bothappsclaimtosafeguarduserprivacyandtoprovidesecurityandanonymization(cfSection3.
3).
However,inthecaseofAnchorFree,theyalsoprovideadvertisingservices[25].
Ourstaticanalysisofbothapps'sourcecoderevealedthattheactivelyusemorethan5differentthird-partytrackinglibraries.
ThedeveloperteambehindWiFiProtectorVPNcorroboratedourobservationsandstatedthatthefreeversionofitsappinjectsJavaScriptcodefortrackinganddisplayingtheirownadstotheusers.
TrafcRedirection.
AnchorFree'sVPNappHotspot-Shieldperformsredirectionofe-commercetrafctopartneringdomains.
WhenaclientconnectsthroughtheVPNtoaccessspecicwebdomains15,theappleveragesaproxythatinterceptsandredirectstheHTTPrequeststopartnerwebsiteswiththefollowingsyntax:http://anchorfree.
us/rdr.
phpq=http://www.
dpbolvw.
net/click-7772790-12173149-1427959067000.
Asare-sult,user'strafcisrelayedthroughtwoorganiza-tionsbeforereachingalibaba.
com:AnchorFreeanddpbolvw.
net,adomainownedbyvalueclick.
com14ContrarytoGooglePlaylistings,F-SecureFreedomeVPNmentioneditsad-blockingfeatureonitswebiste,https://www.
f-secure.
com/.
15Duringourexperimentsredirectionhappenedexclusivelyforwebsitescategorizedase-commercesitessuchasalibaba.
com.
(orConversantMedia,anonlineadvertisingcompany16).
Table11containstwosamplesofsuchrequests.
Ourtestsalsoidentiedasecondpartner:Viglink17.
AccordingtoAnchorFree'swebsite,theappprovides"shieldedconnections,security,privacyenhancementforindivid-ualsandsmallbusinesses"andan"ad-freebrowsing"environment[25].
5.
4TLSInterceptionVPNappsareinaprivilegedpositiontoperformTLSin-terception[107].
Theycancompromisethelocalrootcer-ticatestoreofthedevicebyinjectingtheirownself-signedcerticatesusingAndroid'sKeyChainAPI[66].
Onceacer-ticateisinstalledonthedevice,theappcanintercepttheTLSsessionestablishmentandgenerate"legit"certicates—veriablebytheself-signedrootcerticateinjectedonthetrustedcerticaterootstore—onthey[107].
Tolimitpotentialnewvenuesforabuse,Androidrequiresuser'scon-senttoinstallrootcerticatesanditshowsanadditionalsystemnoticationthatinformstheuserthatathird-partycanmonitortheirsecuretrafc.
Onlytech-savvyusersmaybeabletofullyunderstandthesecurityimplicationsofin-stallingarootcerticate.
WeinstrumentedourAndroiddevicewithOpenSSLsothatwecancaptureacopyoftheSSL/TLSservercerti-catewhenaccessingmorethan60popularservicesoperat-ingoverSSLincludingHTTPS,SMTPoverTLS,andPOP3overTLS.
TheservicesreachedinourtestincludediverseandpopularserviceslikeGoogle,Gmail,Facebook,Twit-ter,Skype,bankingservices,CDNs,analyticsservicesande-commercesites,manyofwhichareassociatedwithmobileappsimplementingsecuritycountermeasuressuchascerti-catepinning[77,46].
WevalidatedeachservercerticateagainsttheICSICer-ticateNotarytoidentifypossiblecasesofTLSinterception:3%oftheTLSsessionsprovidedcerticatesforwhichtheICSInotarycouldnotestablishavalidchaintoarootcer-ticatefromtheMozillarootstore.
Byinspectingmanuallyeachcerticate,weidentify4freeVPNapps(developedby3differentappdevelopers)thatactivelyinterceptTLStrafcbyissuingself-signedcerticatesasshowninTable12.
TwooftheappsimplementingTLSinterception,DashVPNandDashNet,areimplementedbythecompanyActMobileAdetailedinspectionofthedomainsforwhichwerecordedself-signedcerticates,revealedthatonlytheappPacketCaptureperformsTLSinterceptionindiscriminatelyforalldomainseveniftheappsperformcertpinning.
Theotherapps,—Neopard,DashVPNandDashNetallofwhich16http://www.
conversantmedia.
com17http://www.
viglink.
comVPNappCAUser-warning#InstallsPacketCapture[39]PacketCaptureGUI100KDashVPN[10]ActMobile100KDashNet[9]ActMobile10KExalinksNeopard[31]ExalinksRootPrivacyPolicy10KTable12:VPNappsperformingTLSinterception,theCAsigningtheforgedcerticatesandiftheappsexplicitlyin-formtheuseraboutTLSinterceptionpracticesintheirGUIorintheirprivacypolicy.
claimtoprovidetrafcacceleration—targetspecicser-vicesasreportedinTable13,moreinclinedtowardsemailservices,socialnetworkssearchenginesandIM.
Thisbe-haviormaybeaconsequenceofthenatureoftheappsandtheintentoftheonlineservicesthattheyaimtooptimize.
Domain(PORT)NeopardDashVPNDashNetPacketCapturegoogle-analytics.
commail.
google.
commail.
yahoo.
commaps.
google.
comorcart.
facebook.
com(8883)play.
google.
comwww.
akamai.
comwww.
alcatel-lucent.
comwww.
amazon.
comwww.
avaya.
comwww.
bankofamerica.
comwww.
chase.
comwww.
cisco.
comwww.
ebay.
comwww.
facebook.
comwww.
fring.
comwww.
gmail.
comwww.
google.
co.
ukwww.
google.
comwww.
hotwire.
comwww.
hsbc.
comwww.
ibm.
comwww.
icsi.
berkeley.
eduwww.
linkedin.
comwww.
outlook.
comwww.
qq.
comwww.
seagate.
comwww.
simple.
comwww.
skype.
comwww.
taobao.
comwww.
tripadvisor.
comwww.
twitter.
comwww.
viber.
comwww.
yahoo.
comwww.
youtube.
comTable13:IntercepteddomainsperVPNapp.
ThelistonlyprintstheTCPportforthosedifferentthan443.
Wemanuallyinspectedtheapp'sGUItocheckiftheappsinformusersaboutthepurposeofperformingTLSintercep-tionandwhatTLSinterceptionimplies.
PacketCapturesup-portsTLSinterception(asanopt-infeatureintheapp)inordertoexposeTLStrafctoitsusers.
Likewise,Neopard,awebaccelerationapp,alsonotiesusersaboutthepurposeofperformingTLSinterceptioninordertooptimizetrafc.
Theirprivacypolicy(April2016)[32]informsusersaboutTLSinterceptionandlists"performmobileusagereviewsformarketstudies"asoneofthepurposedoftheirdatacol-lectionprocess.
InthecaseofDashVPNandDashNet,noneoftheminformusersaboutthepurposeofperformingTLSinterceptionatall.
Summaryandtakeaways.
OuranalysisofVPNappsatthenetworklevelhasre-vealedthatthemajorityofVPNappsarenottransparentenoughabouthowtheyhandleuser'strafc.
Despitethepromisesforsecurityenhancementandonlineanonymity,VPNappsmayforwarduser'strafcthroughotherpartici-patingnodesfollowingapeer(e.
g.
,Hola)thusopeningin-terestingquestionsaboutthetrustworthinessoftheegresspointsandthesecurityguaranteesforusersforwardingtraf-cforothers.
Ouranalysishasalsorevealedanalarming18%ofVPNappsthatimplementtunnelingtechnologieswithoutencryp-tionaswellas84%and66%ofappsleakingIPv6andDNStrafc.
Asaresult,theseappsdonotprotectuser'strafcagainstin-pathagentsperformingonlinesurveillanceorusertracking.
WeinspectappdescriptionsonGooglePlaystoreandobservethat94%oftheIPv6andDNSleakingappsclaimtoprovideprivacyprotection.
Suchtrafcleaksmaybeassociatedwithdeveloper-inducederrors,lackofsupportorevenmiscongurations.
Finally,wehavealsoidentiedabusivepracticesinourcorpusofVPNappssuchasJavaScriptinjectionfortrack-ingandadvertisingpurposes,aswellase-commercetrafcredirectiontoafliatedpartnersandTLSinterception.
Onlyoneoftheappsimplementingthesepractices(i.
e.
,PacketCaptureperformingTLSinterception)actuallyinformtheusersaboutthepresenceofsuchartifacts.
5.
5Developers'responsesWecontactedandsharedourndingswiththedevelopersofeachoftheappsweobservedasinvolvedinanyofthefol-lowing:JavaScriptinjection,trafcredirection,ad-blockingandtracker-blocking,exogenousow,peer-forwardingusertrafc,andTLSinterception.
Wealsocontactedappdevel-opersofappsrequestingsensitivepermissions,appsthatarenegativelyreviewedbyusers,andappswithembeddedthird-partytrackinglibraries.
WealsocontactedappswhichourtestsrevealedaspossiblycontainingmalwareintheirAPKs.
Amongstthetwoapps(WiFiProtectorandHotspotShieldVPN)thatourtestsidentiedasperformingJavaScriptinjec-tion,WiFiProtectorconrmedourndingsandstatedthatthefreeversionoftheirappinjectsJavaScriptcodetotrackusersandtoshowtheirownads.
HotspotShieldVPN,whichweidentiedasalsoperformingtrafcredirection,hasnotrespondedtoourcorrespondence.
ThedeveloperbehindF-SecureFreedomeVPN,wefoundthatitblocksthird-partyadsandtrackers,conrmedourndingsandelaboratedonhowtheyconstructtheirblack-listsforthird-partytrackers-andads-blocking.
Thedevel-operdidnotrespondyettoourinquiriesaboutthecrite-riausedtobuildtheblacklists.
WehavenotreceivedanyresponsefromSecureWiFithatourtestsalsoidentiedasperformingad-blocking.
Wereceivedresponsesfromonlythreedevelopersoftheappsthatweobservedimplementingpeer-forwardingofusertrafc.
VyperVPNandVPNSecureconrmedthattheyhavesomeoftheirend-pointslocatedinresidentialISPsastheymayrelyonthird-partydata-centersforhostingtheirser-vices.
Hola'sdeveloperconrmedourndingsandexplic-itlymentionedHola'speer-forwardingmechanism.
ContactsfromotherappsdetailedinTable9havenotyet,asofthetimeofwritingofthispaper,respondedtoourrequestsforcommentsorfeedback.
Neopardconrmedthattheywhitelistthedomainsforwhichtheycanoptimizetrafcandaskedforfeedbackabouthowtoincreasetheiroperationaltransparencyandusability.
ActMobile,initially,askedforfurtherinformationaboutthepurposeofthisstudyandwhohascommissionedandlateron,acknowledgedourndings,conrmedthattheydisablethedefaultTLS-interceptionfunctionalityinbothoftheapps(DashVPNandDashnet).
Theyalsoreportedthat,inthenewversionoftheapps,theyaskforuserconsent,explic-itlyintheapps'GUIs,toinstallandtoenabletheActMo-bile'scerticatesforTLS-interceptionandtrafcaccelera-tion,respectively.
WehavenotreceivedanyresponsefromthedeveloperbehindPacketCapturethatourtestsidentiedasperformingTLS-interception.
Onlyoneoftheapps'developers,explicitlydiscussedinSection4.
1,respondedtoourndingsandconrmedthattigerVPNrequestssensitiveREAD_LOGpermissiontorecordandtouseitfortroubleshootingpurposes.
Theyalsoconrmedthat,intheconnectionlogcollectedviaREAD_LOGpermission,theycollectusers'informationsuchasend-points'IPs,wireless(mobiledataconnectivity(3G,4G,andLTE)orWiFi)connectivity,anderrormessages.
ThedeveloperbehindIp-shieldVPNthatweidentiedasembeddingless-populartrackinglibrariessuchasAppoodfortargetedadsarguedthattheAppoodwasthebestchoicetomonetizetheapp.
Thedeveloperalsorevealedplanstoupdatead-freeversionofIp-shieldVPNonGooglePlay.
Therestofthedevelopersoftheappswithpossiblycon-tainingmalware(cf.
Section4.
3),appsthatarenegativelyreviewedbyusers(cf.
Section4.
4),appsthatareembed-dingthird-partytrackinglibraries(cf.
Section4.
2),andtheonewithexogenoustrafcows(cf.
Section5.
1)havenotyet,asofthetimeofwritingofthispaper,respondedtoourndings.
6.
LIMITATIONSANDFUTUREWORKOurmethodtoidentifyandcharacterizeVPNappsonGooglePlaypresentsseverallimitations,manyofwhichareinherenttostaticanddynamicanalysis[77].
Therstlim-itationisapp'scoverage:ourstudyislimitedtoAndroid'sfreeGooglePlayappsandexcludespaidapps,iOSappsandappsfromalternativeappstores.
WealsorelyonaGooglePlaycrawlertoextractourcorpusofVPN-enabledappsthatmightrestricttheappcoverageofourstudywhichmaymissappsthatintentionally(orinadvertently)hidetheiruseoftheVPNpermission.
AlthoughourappscrawleraimstocaptureasmanyVPN-enabledappsaspossible,westressthatourgoalistoprovideananalysisofthesecurityandprivacyissuesofarepresentativesampleofVPN-enabledappsfromtheGoogleplaystore.
Second,thispaperdoesnotconsiderAndroidappsrequestingrootaccessonrootedphonestointerceptusertrafcvianativecommandssuchastcpdumporOpenVPN.
Investigatingappsfallinginthiscat-egorywouldrequireconductingacomputational-andtime-expensivestaticanalysis.
Third,wedoconsiderruntimeanalysisofthird-partytrackinglibrariesandallsensitiveper-missionsofVPNapps.
DeterminingwhatanappdowithsensitivepermissionssuchasREAD_LOG,READ_SMS,andSEND_SMSandwhattypeofinformationwillthird-partytrackinglibrariescollectwouldrequirene-grainedsystem-andnetwork-leveltraceandtrafcanalysis.
Moreover,weidentifyappsimplementingpeerforward-ingfromthesetofVPNappswithpublicIPaddressesla-beledasresidentialIPsbySpamhausPBL.
GiventhatVPNservicescandeployVPNserversinresidentialISPsandSpamhausclassicationispronetoerror,ouranalysisofpeerforwardingmaynotbeaccurate.
Weconsideritasalimitationandonepossibleextensionoftheworkinthispa-perwouldbetostrengthenouranalysisofpeerforwardingby(i)extendingthetestsdurationtoenabletrackingofpeers(runningsuspectedVPNapps);and(ii)analyzingthetraf-cowsofanappsimultaneouslyrunningontwoormoremobilephonestodetermineiftheyforwardtrafcforeachother.
Likewise,ourmethodfallsshorttoanalyzethepresenceofsessiontimeoutsandapps'sabilitytorecoverfromalossofconnectivity.
Thesedynamicsmaycauseusertrafctobeexposedinthecleartoanyin-pathmiddleboxforashortperiodoftime.
ThispaperprovidesarstdetailedanalysisofVPN-enabledappsbutitalsoleavesmanyopenquestionsbeyondthescopeofouranalysis.
Aspectssuchaspossibletrafcordevice-locationdiscriminationpractices[86]ortheuseofVPNappsashoneypotstoharvestpersonalinformationhavenotbeenaddressedinthisstudy.
Inaddition,reasonsbehindinadequacyofappactualbehaviorandtermsofuseorthetheidenticationofside-channelsfortheobserveddata-exltrationhavebeenleftaspendingquestions.
7.
RELATEDWORKSeveralstudieshighlightedtheprivacyrisksassociatedwithAndroidappsover-requestingAndroidpermissionsforthird-partytracking,advertisingandanalyticservices[105,103,91,73,74]usingtechniqueslikestaticanalysis[114,69,78,79],taintanalysis[76,112],andOSmodica-tions[83,100,105,81].
Previousresearchalsoadaptedtechniquesformalwaredetectionsuchassignatureanaly-sis[71,70,88,113]andanomalydetection[104,102]tothemobilecontextinordertoidentifypotentialmaliciousactivityonmobileapps.
SeveralresearcheffortsleverageAndroid'sVPNpermis-siontoaccuratelycharacterizeAndroid'strafcandidentifyprivatedataleakageinictedbymobileapps[90,97,106].
MorerelatedtostudyingVPNapps,thestudyconductedbyPertaetal.
[95]isperhapstheclosestonetoouranalysis.
Thepaperprovidesamanualanalysisof14popularVPNservicesandincludesastudyoftheirtheirmobileclientsidentifyingdeveloper-inducedbugsandmis-congurationsthatleadtoIPv6andDNSleaks.
Ourpaperprovidesasys-tematicandthoroughsecurityandprivacyanalysisofAn-droidmobileappsemployingtheVPNpermission.
ThestudybyVallina-Rodriguezetal.
characterizedAndroid'srootcerticatestoreusingdataprovidedbyNetalyzrforAn-droidtool[107].
ThestudyrevealedhowVPN-enabledappscouldperformtransparentTLSinterceptionaftercompro-misingtherootcerticatestore.
Finally,Appelbaumetal.
identiedsecurityvulnerabili-tiesoncommercialandpubliconlineVPNservices[67].
AsurveyconductedbyKhattacketal.
onVPNusageacrossPakistaniInternetusersreportedthat57%ofthepartici-pantsusedSSL-basedVPNsoftwaretoaccessYouTubecon-tent[87].
Ourpaperinturn,presentsamethodtosystemat-icallyidentifyandanalyzesecurityandprivacyaspectsofVPN-enabledappsonAndroid-basedappstores.
Theimpli-cationsofouranalysisspantootherareassuchascensorshipanalysisandnetworkmeasurementsthatleverageVPNser-vicestopenetratedifferentcountriesandISPs.
8.
CONCLUSIONSAndroidappdevelopersbenetfromnativesupporttoim-plementVPNclientsviatheVPNpermissiontoprovidecen-sorshipcircumvention,supportenterprisecustomersanden-hancedonlinesecurityandprivacy.
However,despitethefactthatAndroidVPN-enabledappsarebeinginstalledbymillionsofmobileusersworldwide,theiroperationaltrans-parencyandtheirpossibleimpactonuser'sprivacyandse-curityremains"terraincognita"evenfortech-savvyusers.
Inthispaper,wepresentedanumberofstaticanddy-namicmethodsthatallowedustoconductin-depthanaly-sisofVPN-enabledappsonGooglePlay.
WeinvestigatefromthepresenceoftrackingservicesandmalwareonVPNappbinariestoartifactsimplementedbytheseappsatthenetworklevel.
Ourcomprehensivetestsallowedustoiden-tifyinstancesofVPNappsembedthird-partytrackingser-vicesandimplementabusivepracticessuchasJavaScript-injection,ad-redirectionsandevenTLSinterception.
TheabilityoftheBIND_VPN_SERVICEpermissiontobreakAndroid'ssandboxingandthenaiveperceptionthatmostusershaveaboutthird-partyVPNappssuggestthatitisurgingtore-considerAndroid'sVPNpermissionmodeltoincreasethecontroloverVPNclients.
OuranalysisoftheuserreviewsandtheratingsforVPNappssuggestedthatthevastmajorityofusersremainunawareofsuchpracticesevenwhenconsideringrelativelypopularapps.
AcknowledgmentsThisworkwaspartiallysupportedbytheData61/CSIROandtheNationalScienceFoundation(NSF)undergrantCNS-1564329.
Anyopinions,ndings,andconclusionsorrec-ommendationsexpressedinthismaterialarethoseoftheau-thorsororiginatorsanddonotnecessarilyreecttheviewsoftheData61/CSIROoroftheNSF.
Theauthorswouldliketothankourshepherd,BenZhao,andtheanonymousre-viewersforconstructivefeedbackonpreparationofthenalversionofthispaper.
WealsothankNickKiourtis(Kryp-towire)andAngelosStavrou(Kryptowire)forvaluablehelp.
9.
REFERENCES[1]AlexaTop500Websites.
http://www.
alexa.
com/topsites.
[2]AndroidPermissions.
http://developer.
android.
com/guide/topics/security/permissions.
html.
[3]ApplicationFundamentals.
http://developer.
android.
com/guide/components/fundamentals.
html.
[4]ArchieVPN.
https://play.
google.
com/store/apps/detailsid=com.
lausny.
archievpnfree.
go.
[5]CiscoAnyConnect.
https://play.
google.
com/store/apps/detailsid=com.
cisco.
anyconnect.
vpn.
android.
avf.
[6]CMDataManager-SpeedTest.
https://play.
google.
com/store/apps/detailsid=com.
cmcm.
owmonitor.
[7]CrossVpn.
https://play.
google.
com/store/apps/detailsid=com.
goodyes.
vpn.
cn.
[8]Cyberghost-freevpn&proxy.
https://play.
google.
com/store/apps/detailsid=de.
mobileconcepts.
cyberghost.
[9]DashNetAcceleratedVPN.
https://play.
google.
com/store/apps/detailsid=com.
actmobile.
dashnet.
[10]DashVPN|DashOfce-SpeedTest.
http://dashofce.
com/dash-vpn/.
[11]DNSet.
https://play.
google.
com/store/apps/detailsid=com.
dnset.
[12]DroidVPN-AndroidVPN.
https://play.
google.
com/store/apps/detailsid=com.
aed.
droidvpn.
[13]Dr.
WebSecuritySpace.
https://play.
google.
com/store/apps/detailsid=com.
drweb.
pro.
[14]EasyOvpn-PluginforOpenVPN.
https://play.
google.
com/store/apps/detailsid=com.
easyovpn.
easyovpn.
[15]EasyVpn.
https://play.
google.
com/store/apps/detailsid=yujia.
easyvpn.
[16]F-SecureFreedomeAnti-TrackingFeatureExplained.
https://community.
f-secure.
com/t5/F-Secure/F-Secure-Freedome-Anti-Tracking/ta-p/52153.
[17]FastSecurePaymentService.
https://play.
google.
com/store/apps/detailsid=com.
lausny.
ocvpnaio.
allpay.
[18]FlashVPNFreeVPNProxy.
https://play.
google.
com/store/apps/detailsid=net.
ashsoft.
ashvpn.
activity.
[19]FreeVPNProxybyBetternet.
https://play.
google.
com/store/apps/detailsid=com.
freevpnintouch.
[20]Good.
MobileDeviceManagement(MDM).
https://www1.
good.
com/secure-mobility-solution/mobile-device-management.
html.
[21]GooglePlayUnofcialPythonAPI.
https://github.
com/egirault/googleplay-api.
[22]HatVPN.
https://play.
google.
com/store/apps/detailsid=mobi.
hatvpn.
[23]HideMyAss!
ProVPNforAndroid.
https://play.
google.
com/store/apps/detailsid=com.
hidemyass.
hidemyassprovpn.
[24]HolaFreeVPNProxy.
https://play.
google.
com/store/apps/detailsid=org.
hola.
[25]HotspotShieldAdvertising.
http://www.
anchorfree.
com/advertise.
php.
[26]HotspotShieldFreeVPNProxy.
https://play.
google.
com/store/apps/detailsid=hotspotshield.
android.
vpn.
[27]ip-shieldVPN.
https://play.
google.
com/store/apps/detailsid=com.
ipshield.
app.
[28]JunosPulse.
https://play.
google.
com/store/apps/detailsid=net.
juniper.
junos.
pulse.
android&hl=en.
[29]KnoxStandardSDK.
https://seap.
samsung.
com/sdk/knox-standard-android.
[30]MobileSecurity&Antivirus.
https://play.
google.
com/store/apps/detailsid=com.
trendmicro.
tmmspersonal.
[31]NEOPARD.
http://https://play.
google.
com/store/apps/detailsid=com.
exalinks.
neopard/.
[32]NeopardPrivacyPolicy.
http://neopard-mobile.
com/en/about/privacy/.
[33]NeoRouterVPNMesh.
https://play.
google.
com/store/apps/detailsid=com.
neorouter.
androidmesh.
[34]NoRootFirewall.
https://play.
google.
com/store/apps/detailsid=app.
greyshirts.
rewall.
[35]OkVpn.
https://play.
google.
com/store/apps/detailsid=yujia.
okvpn.
[36]OneClickVPN.
https://play.
google.
com/store/apps/detailsid=com.
lausny.
ocvpn.
[37]OpenGate.
https://play.
google.
com/store/apps/detailsid=com.
btzsoft.
vpnclient.
[38]Orbot:ProxywithTor.
https://play.
google.
com/store/apps/detailsid=org.
torproject.
android.
[39]PacketCapture.
https://play.
google.
com/store/apps/detailsid=app.
greyshirts.
sslcapture.
[40]pcap-parser(0.
5.
8).
https://pypi.
python.
org/pypi/pcap-parser/0.
5.
8.
[41]PrivateWiFi.
https://play.
google.
com/store/apps/detailsid=com.
privatewi.
pwf.
hybrid.
[42]Qihoo360.
https://play.
google.
com/store/apps/detailsid=com.
qihoo360.
mobilesafe.
[43]RacconAPKDownloader.
http://www.
onyxbits.
de/raccoon.
[44]RocketVPN-InternetFreedom.
https://play.
google.
com/store/apps/detailsid=com.
liquidum.
rocketvpn.
[45]SamsungKNOX.
PartneringwithSamsung.
https://www.
samsungknox.
com/en/partners.
[46]SecuritywithHTTPSandSSL.
http://developer.
android.
com/training/articles/security-ssl.
html.
[47]Selendroid:SeleniumforAndroid.
http://www.
selendroid.
io.
[48]sFlyNetworkBooster,Adblocker.
https://play.
google.
com/store/apps/detailsid=com.
cdnren.
sy.
[49]SpamhausPBL.
http://www.
spamhaus.
org/pbl/.
[50]SpotuxVPN.
https://play.
google.
com/store/apps/detailsid=com.
spotux.
android.
[51]StrongVPNOpenVPNClient.
https://play.
google.
com/store/apps/detailsid=com.
strongvpn.
[52]SuperVPN.
https://play.
google.
com/store/apps/detailsid=com.
SuperVPN_Q0102_21.
[53]SurfEasySecureAndroidVPN.
https://play.
google.
com/store/apps/detailsid=com.
surfeasy.
[54]tigerVPN-PrivacyDefender.
https://play.
google.
com/store/apps/detailsid=com.
tigeratwork.
tigervpn.
[55]TigervpnsFreeVPNandProxy.
https://play.
google.
com/store/apps/detailsid=com.
tigervpns.
android.
[56]TorGuardVPN.
https://play.
google.
com/store/apps/detailsid=net.
torguard.
openvpn.
client.
[57]VirusTotal.
https://www.
virustotal.
com.
[58]VPNFree.
https://play.
google.
com/store/apps/detailsid=com.
couxin.
GroxNetwork.
[59]VPNGate.
https://play.
google.
com/store/apps/detailsid=com.
lausny.
vpngate.
[60]VPNServiceDocumentation.
http://developer.
android.
com/reference/android/net/VpnService.
html.
[61]VPNSecureOpenVPNVPNProxy.
https://play.
google.
com/store/apps/detailsid=com.
vpnsecure.
pty.
ltd.
[62]VPN+TOR+CloudVPNGlobusPro!
https://play.
google.
com/store/apps/detailsid=com.
globus.
vpn.
[63]VyprVPNFreeVPNforPrivacy.
https://play.
google.
com/store/apps/detailsid=com.
goldenfrog.
vyprvpn.
app.
[64]WiFiProtectorVPN.
https://play.
google.
com/store/apps/detailsid=com.
wiprotector.
android.
[65]M.
Allman.
Commentsonbufferbloat.
SIGCOMMCCR,2013.
[66]Androiddeveloperdocumentation.
KeyChain.
https://developer.
android.
com/reference/android/security/KeyChain.
html#createInstallIntent().
[67]J.
Appelbaum,M.
Ray,I.
Finder,andK.
Koscher.
vpwns:VirtualPwnedNetworks.
InUSENIXFOCI,2012.
[68]D.
Arp,M.
Spreitzenbarth,H.
Gascon,andK.
Rieck.
Drebin:EffectiveandExplainableDetectionofAndroidMalwareinYourPocket.
InNDSS,2014.
[69]K.
W.
Y.
Au,Y.
F.
Zhou,Z.
Huang,andD.
Lie.
PScout:AnalyzingtheAndroidPermissionSpecication.
InACMCCS,2012.
[70]T.
Blsing,L.
Batyuk,A.
-D.
Schmidt,S.
A.
Camtepe,andS.
Albayrak.
AnAndroidApplicationSandboxSystemforSuspiciousSoftwareDetection.
InIEEEMALWARE,2010.
[71]A.
Bose,X.
Hu,K.
G.
Shin,andT.
Park.
BehavioralDetectionofMalwareonMobileHandsets.
InACMMobiSys,2008.
[72]I.
Castro,J.
C.
Cardona,S.
Gorinsky,andP.
Francois.
RemotePeering:MorePeeringWithoutInternetFlattening.
InACMCoNEXT,2014.
[73]T.
Chen,I.
Ullah,M.
A.
Kaafar,andR.
Boreli.
InformationLeakageThroughMobileAnalyticsServices.
InACMMobiSys,2014.
[74]P.
H.
Chia,Y.
Yamamoto,andN.
Asokan.
IsthisAppSafe:ALargeScaleStudyonApplicationPermissionsandRiskSignals.
InACMWWW,2012.
[75]D.
Crawford.
PPTPvsL2TPvsOpenVPNvsSSTPvsIKEv2.
https://www.
bestvpn.
com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs-sstp-vs-ikev2/.
[76]W.
Enck,P.
Gilbert,B.
-G.
Chun,L.
P.
Cox,J.
Jung,P.
McDaniel,andA.
N.
Sheth.
TaintDroid:AnInformationFlowTrackingSystemforReal-TimePrivacyMonitoringonSmartphones.
CACM,2014.
[77]S.
Fahl,M.
Harbach,T.
Muders,L.
Baumgrtner,B.
Freisleben,andM.
Smith.
WhyEveandMalloryloveAndroid:AnanalysisofAndroidSSL(in)security.
InACMCCS,2012.
[78]A.
P.
Felt,E.
Chin,S.
Hanna,D.
Song,andD.
Wagner.
AndroidPermissionsDemystied.
InACMCCS,2011.
[79]A.
Gorla,I.
Tavecchia,F.
Gross,andA.
Zeller.
CheckingAppBehaviorAgainstAppDescriptions.
InICSE,2014.
[80]C.
Haschek.
Wherearefreeproxiesfreehttps://blog.
haschek.
at/post/fd9bc.
[81]P.
Hornyack,S.
Han,J.
Jung,S.
Schechter,andD.
Wetherall.
TheseAren'ttheDroidsYou'reLookingfor:RetrottingAndroidtoProtectDatafromImperiousApplications.
InACMCCS,2011.
[82]M.
Ikram,H.
J.
Asghar,M.
A.
Kaafar,B.
Krishnamurthy,andA.
Mahanti.
TowardsSeamlessTracking-FreeWeb:ImprovedDetectionofTrackersviaOne-classLearning.
InPETs,2017.
[83]J.
Jeon,K.
K.
Micinski,J.
A.
Vaughan,A.
Fogel,N.
Reddy,J.
S.
Foster,andT.
Millstein.
Dr.
AndroidandMr.
Hide:Fine-grainedPermissionsinAndroidApplications.
InACMSPSM,2012.
[84]A.
Kantchelian,M.
C.
Tschantz,S.
Afroz,B.
Miller,V.
Shankar,R.
Bachwani,A.
D.
Joseph,andJ.
D.
Tygar.
BetterMalwareGroundTruth:TechniquesforWeightingAnti-VirusVendorLabels.
InAISec,2015.
[85]A.
Kharraz,W.
Robertson,D.
Balzarotti,L.
Bilge,andE.
Kirda.
CuttingtheGordianKnot:ALookUndertheHoodofRansomwareAttacks.
InDIMVA,2015.
[86]S.
Khattak,D.
Field,S.
Afroz,M.
Javed,S.
Sundaresan,V.
Paxson,S.
J.
Murdoch,andD.
McCoy.
DoYouSeeWhatISeeDifferentialTreatmentofAnonymousUsers.
InNDSS,2016.
[87]S.
Khattak,M.
Javed,S.
A.
Khayam,Z.
A.
Uzmi,andV.
Paxson.
ALookattheConsequencesofInternetCensorshipThroughanISPLens.
InACMIMC,2014.
[88]H.
Kim,J.
Smith,andK.
G.
Shin.
DetectingEnergy-GreedyAnomaliesandMobileMalwareVariants.
InACMMobiSys,2008.
[89]C.
Kreibich,N.
Weaver,B.
Nechaev,andV.
Paxson.
Netalyzr:IlluminatingtheEdgeNetwork.
InACMIMC,2010.
[90]A.
Le,J.
Varmarken,S.
Langhoff,A.
Shuba,M.
Gjoka,andA.
Markopoulou.
AntMonitor:ASystemforMonitoringfromMobileDevices.
InACM(C2B(I)D),2015.
[91]I.
Leontiadis,C.
Efstratiou,M.
Picone,andC.
Mascolo.
Don'tKillmyAds!
:BalancingPrivacyinanAd-supportedMobileApplicationMarket.
InACMHotMobile,2012.
[92]MaxMind.
https://www.
maxmind.
com.
[93]R.
Nithyanand,S.
Khattak,M.
Javed,N.
Vallina-Rodriguez,M.
Falahrastegar,J.
E.
Powles,E.
DeCristofaro,H.
Haddadi,andS.
J.
Murdoch.
Ad-blockingandcounterblocking:Asliceofthearmsrace.
FOCI,2016.
[94]V.
Paxson.
Bro:aSystemforDetectingNetworkIntrudersinReal-Time.
ComputerNetworks,1999.
[95]V.
C.
Perta,M.
V.
Barbera,G.
Tyson,H.
Haddadi,andA.
Mei.
AGlancethroughtheVPNLookingGlass:IPv6LeakageandDNSHijackinginCommercialVPNClients.
PETS,2015.
[96]I.
Poese,S.
Uhlig,M.
A.
Kaafar,B.
Donnet,andB.
Gueye.
IPgeolocationdatabases:UnreliableACMSIGCOMMCCR,2011.
[97]A.
Razaghpanah,N.
Vallina-Rodriguez,S.
Sundaresan,C.
Kreibich,P.
Gill,M.
Allman,andV.
Paxson.
Haystack:InSituMobileTrafcAnalysisinUserSpace.
arXivpreprintarXiv:1510.
01419,2015.
[98]C.
Reis,S.
Gribble,T.
Kohno,andN.
Weaver.
DetectingIn-FlightPageChangeswithWebTripwires.
InNSDI,2008.
[99]Rescorla,EricandModadugu,Nagendra.
DatagramTransportLayerSecurity(RFC4347).
https://tools.
ietf.
org/html/rfc4347.
[100]F.
Roesner,T.
Kohno,A.
Moshchuk,B.
Parno,H.
J.
Wang,andC.
Cowan.
User-DrivenAccessControl:RethinkingPermissionGrantinginModernOperatingSystems.
InIEEES&P,2012.
[101]SamsungKNOX.
https://www.
samsungknox.
com/en.
[102]A.
-D.
Schmidt,F.
Peters,F.
Lamour,C.
Scheel,S.
A.
amtepe,andS.
Albayrak.
MonitoringSmartphonesforAnomalyDetection.
MobileNetworksandApplications,2009.
[103]S.
Seneviratne,H.
Kolamunna,andA.
Seneviratne.
AMeasurementStudyofTrackinginPaidMobileApplications.
InACMWiSec,2015.
[104]A.
Shabtai,U.
Kanonov,Y.
Elovici,C.
Glezer,andY.
Weiss.
"Andromaly":ABehavioralMalwareDetectionFrameworkforAndroidDevices.
JIIS,2012.
[105]S.
Shekhar,M.
Dietz,andD.
S.
Wallach.
AdSplit:SeparatingSmartphoneAdvertisingfromApplications.
InUSENIXSec,2012.
[106]Y.
SongandU.
Hengartner.
PrivacyGuard:AVPN-basedPlatformtoDetectInformationLeakageonAndroidDevices.
InACMSPSM,2015.
[107]N.
Vallina-Rodriguez,J.
Amann,C.
Kreibich,N.
Weaver,andV.
Paxson.
ATangledMass:TheAndroidRootCerticateStores.
InACMCoNEXT,2014.
[108]N.
Vallina-Rodriguez,S.
Sundaresan,C.
Kreibich,andV.
Paxson.
HeaderEnrichmentorISPEnrichmentEmergingPrivacyThreatsinMobileNetworks.
InACMHotMiddlebox,2015.
[109]N.
Vallina-Rodriguez,S.
Sundaresan,C.
Kreibich,N.
Weaver,andV.
Paxson.
BeyondtheRadio:IlluminatingtheHigherLayersofMobileNetworks.
InACMMobiSys,2015.
[110]N.
Weaver,C.
Kreibich,M.
Dam,andV.
Paxson.
HereBeWebProxies.
InPAM,2014.
[111]N.
Weaver,C.
Kreibich,andV.
Paxson.
RedirectingDnsforAdsandProt,2011.
[112]L.
-K.
YanandH.
Yin.
DroidScope:SeamlesslyReconstructingtheOSandDalvikSemanticViewsforDynamicAndroidMalwareAnalysis.
InUSENIXSecurity,2012.
[113]Y.
ZhouandX.
Jiang.
DissectingAndroidMalware:CharacterizationandEvolution.
InIEEES&P,2012.
[114]Y.
Zhou,X.
Zhang,X.
Jiang,andV.
W.
Freeh.
TamingInformation-stealingSmartphoneApplications(onAndroid).
InTRUST,2011.