SlideShare ist ein Scribd-Unternehmen logo

An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps

Als PPTX, PDF herunterladen
Narseo Rodriguez
Narseo Rodriguez

Slides for the ACM Internet Measurements Conference (IMC 2016) about the security and privacy aspects of Android VPN apps.

Technologie
1 von 29
www.data61.csiro.au An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps Muhammad Ikram (UNSW, Data61, CSIRO) Narseo Vallina-Rodriguez (ICSI, IMDEA Networks) Suranga Seneviratne (Data61, CSIRO) Mohamed Ali Kaafar (Data61, CSIRO) Vern Paxson(UC Berkeley, ICSI)
Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram Typical VPN Use Cases 2 VPN Tunnel • Geo-filtered content • Anti-surveillance • Censorship • Untrusted networks
Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram Android VPN API • Available since Android ≧ 4.0 (Ice Cream Sandwich) • Highly sensitive API + Protected by BIND_VPN_SERVICE + Requires user’s direct action 3 - Users may not understand VPN technology - Lack of apps’ vetting process
4 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
5 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram Are VPN Android apps trustworthy?
6 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram 1. Static Analysis 2. Network Measurements Approach
Some salient results 7 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram • Malware presence • Traffic leak • Javascript injection and TLS interception 38% of VPN apps have malware presence (VirusTotal) 18% of VPN apps do not use encrypted tunnels 84% leak IPv6 traffic 66% leak DNS traffic 2 apps inject JavaScript code 4 apps implement TLS interception
Agenda • VPN App Detection and Methodology • Passive Analysis • Network Measurements • Summary • Developer’s feedback 8 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
Methodology 9 Google Play Crawl (1.4M+ Apps) Static Analysis Network Measurements VPN App Detection and Classification Executables and metadata (apps description, reviews, etc) Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
10 App Category # of apps found (N = 283) Free VPN apps with Free services 130 Free VPN apps with Premium services 153 Identified VPN App Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
Analyzed VPN Apps - Evolution 11 Android 4.0 release date Estimated Release Date Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
User installs and ratings 12 37% of apps > 500K installs 55% of apps > 4-star rating Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
Static Analysis 13 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
67% of Android VPN apps claim privacy and security enhancement features 14 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
3rd-party Tracking Libraries • 67% of VPN apps include 3rd-party tracking libraries 15 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
Malware Presence • Scanner: VirusTotal aggregator • AV-rank: number of AV tools reporting malware • 38% of VPN apps contain malware with 4% have AV-rank ≧ 5 16 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
Network Measurements 17 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
Testbed 18 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram Traffic manipulations
• Tested manually each vantage point reported in the app • 18% of apps do not inform about the terminating end-point • 4% of VPN apps intercept traffic on localhost • 16% use vantage points hosted on residential networks (Spamhaus PBL) 19 Forwarding models 1lt.su Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
20 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram USERS HAVE NO CONTROL! maxhane.com qudosteam.com
Traffic leak 21 • 18% of apps do not use encrypted tunnels • 84% of VPN apps leak IPv6 traffic • 66% of VPN apps leaks DNS queries Users can be potentially subject to in-path modification, profiling, redirection, and censorship. Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
Adblocking and JavaScript Injection • DOM-based analysis • Top 30 Alexa sites, reference website and seven e-commerce sites 22 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
TLS Interception • Analysed certificates from 60 websites/domains • Apps compromise root store 23 Domain(port) Neopard DashVPN DashNet Packet Capture amazon.com ❌ ✅ ❌ ✅ gmail.com ✅ ✅ ✅ ✅ orcart.facebook.com (8883) ✅ ❌ ❌ ✅ bankofamerica.com ✅ ✅ ✅ ✅ hsbc.com ❌ ✅ ❌ ✅ Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
More details: 24 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
“And isn’t it ironic?” 25 • Do users care or know? • Manually analysed negative reviews (4.5K) (1- and 2-Stars) • < 1% of the negative reviews raised privacy and security concerns Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
Summary • 38% of apps have malware presence • 67% of apps have at least one third-party tracking library • 66% of VPN apps have DNS leakages and 84% have IPv6 Leakages • 2 VPN apps perform JS-injection for ads, tracking, and redirections • 4 VPN apps perform TLS interception 26 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
Developer Feedback and Reactions 27 “… Appflood [third-party library] was the best choice to monetize the app”. Now: ads- and tracking free app Confirmed JS-Injections for tracking users and showing their own advertisements Now: status quo Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
28 November 2015 October 2016 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram “… we will promise these problems never occur again.” 15 AV-RANK 1 AV-RANK Developer Feedback and Reactions
www.data61.csiro.au Thanks Q&A Muhammad Ikram muhammad.ikram@data61.csiro.au

Empfohlen

160415 lan and-wan-ctap
160415 lan and-wan-ctap160415 lan and-wan-ctap
160415 lan and-wan-ctapLan & Wan Solutions
 
Evento 15 aprile
Evento 15 aprileEvento 15 aprile
Evento 15 aprileLan & Wan Solutions
 
ATP
ATPATP
ATPLan & Wan Solutions
 
CTAP
CTAPCTAP
CTAPLan & Wan Solutions
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVSPrathan Phongthiproek
 
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumDeutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumZimperium
 
SANS Report: The State of Security in Control Systems Today
SANS Report: The State of Security in Control Systems TodaySANS Report: The State of Security in Control Systems Today
SANS Report: The State of Security in Control Systems TodaySurfWatch Labs
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellPrathan Phongthiproek
 

Empfohlen

160415 lan and-wan-ctap
160415 lan and-wan-ctap160415 lan and-wan-ctap
160415 lan and-wan-ctapLan & Wan Solutions
 
Evento 15 aprile
Evento 15 aprileEvento 15 aprile
Evento 15 aprileLan & Wan Solutions
 
ATP
ATPATP
ATPLan & Wan Solutions
 
CTAP
CTAPCTAP
CTAPLan & Wan Solutions
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVSPrathan Phongthiproek
 
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumDeutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumZimperium
 
SANS Report: The State of Security in Control Systems Today
SANS Report: The State of Security in Control Systems TodaySANS Report: The State of Security in Control Systems Today
SANS Report: The State of Security in Control Systems TodaySurfWatch Labs
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellPrathan Phongthiproek
 
Protect Your Enterprise - Check Point SandBlast Mobile
Protect Your Enterprise - Check Point SandBlast MobileProtect Your Enterprise - Check Point SandBlast Mobile
Protect Your Enterprise - Check Point SandBlast MobileMarketingArrowECS_CZ
 
Sophos Utm Presentation 2016
Sophos Utm Presentation 2016Sophos Utm Presentation 2016
Sophos Utm Presentation 2016InformatikaFortuno
 
Secure Mobility from GGR Communications
Secure Mobility from GGR CommunicationsSecure Mobility from GGR Communications
Secure Mobility from GGR CommunicationsGGR Communications
 
M86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web GatewayM86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web GatewayINSPIRIT BRASIL
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksPrathan Phongthiproek
 
CYBER THREAT ASSESSMENT
CYBER THREAT ASSESSMENTCYBER THREAT ASSESSMENT
CYBER THREAT ASSESSMENTLan & Wan Solutions
 
The Anatomy of Comment Spam
The Anatomy of Comment SpamThe Anatomy of Comment Spam
The Anatomy of Comment SpamImperva
 
Swascan Cyber Security Testing Platform
Swascan Cyber Security Testing PlatformSwascan Cyber Security Testing Platform
Swascan Cyber Security Testing PlatformPierguido Iezzi
 
Estratégia de segurança da Cisco (um diferencial para seus negócios)
Estratégia de segurança da Cisco (um diferencial para seus negócios)Estratégia de segurança da Cisco (um diferencial para seus negócios)
Estratégia de segurança da Cisco (um diferencial para seus negócios)Cisco do Brasil
 
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...North Texas Chapter of the ISSA
 
Juniper idp overview
Juniper idp overviewJuniper idp overview
Juniper idp overviewMohamed Al-Natour
 
Upwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile Malware
Upwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile MalwareUpwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile Malware
Upwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile MalwarePriyanka Aash
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Brochure swascan ENG
Brochure swascan ENGBrochure swascan ENG
Brochure swascan ENGSWASCAN
 
Understanding Advanced Threats and How to Prevent Them
Understanding Advanced Threats and How to Prevent ThemUnderstanding Advanced Threats and How to Prevent Them
Understanding Advanced Threats and How to Prevent ThemMarketingArrowECS_CZ
 
Presentation cisco iron port e-mail security solution
Presentation cisco iron port e-mail security solutionPresentation cisco iron port e-mail security solution
Presentation cisco iron port e-mail security solutionxKinAnx
 
IronPort
IronPortIronPort
IronPortNetwax Lab
 
Level Up Your Security with Threat Intelligence
Level Up Your Security with Threat IntelligenceLevel Up Your Security with Threat Intelligence
Level Up Your Security with Threat IntelligenceIBM Security
 
Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report Mandar Kharkar
 
Building an Android Scale Incident Response Process
Building an Android Scale Incident Response ProcessBuilding an Android Scale Incident Response Process
Building an Android Scale Incident Response ProcessPriyanka Aash
 
18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptxsundar110567
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsIBM Security
 

Weitere ähnliche Inhalte

Was ist angesagt?

Protect Your Enterprise - Check Point SandBlast Mobile
Protect Your Enterprise - Check Point SandBlast MobileProtect Your Enterprise - Check Point SandBlast Mobile
Protect Your Enterprise - Check Point SandBlast MobileMarketingArrowECS_CZ
 
Secure Mobility from GGR Communications
Secure Mobility from GGR CommunicationsSecure Mobility from GGR Communications
Secure Mobility from GGR CommunicationsGGR Communications
 
M86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web GatewayM86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web GatewayINSPIRIT BRASIL
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksPrathan Phongthiproek
 
The Anatomy of Comment Spam
The Anatomy of Comment SpamThe Anatomy of Comment Spam
The Anatomy of Comment SpamImperva
 
Swascan Cyber Security Testing Platform
Swascan Cyber Security Testing PlatformSwascan Cyber Security Testing Platform
Swascan Cyber Security Testing PlatformPierguido Iezzi
 
Estratégia de segurança da Cisco (um diferencial para seus negócios)
Estratégia de segurança da Cisco (um diferencial para seus negócios)Estratégia de segurança da Cisco (um diferencial para seus negócios)
Estratégia de segurança da Cisco (um diferencial para seus negócios)Cisco do Brasil
 
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...North Texas Chapter of the ISSA
 
Upwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile Malware
Upwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile MalwareUpwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile Malware
Upwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile MalwarePriyanka Aash
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Brochure swascan ENG
Brochure swascan ENGBrochure swascan ENG
Brochure swascan ENGSWASCAN
 
Understanding Advanced Threats and How to Prevent Them
Understanding Advanced Threats and How to Prevent ThemUnderstanding Advanced Threats and How to Prevent Them
Understanding Advanced Threats and How to Prevent ThemMarketingArrowECS_CZ
 
Presentation cisco iron port e-mail security solution
Presentation cisco iron port e-mail security solutionPresentation cisco iron port e-mail security solution
Presentation cisco iron port e-mail security solutionxKinAnx
 
Level Up Your Security with Threat Intelligence
Level Up Your Security with Threat IntelligenceLevel Up Your Security with Threat Intelligence
Level Up Your Security with Threat IntelligenceIBM Security
 
Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report Mandar Kharkar
 
Building an Android Scale Incident Response Process
Building an Android Scale Incident Response ProcessBuilding an Android Scale Incident Response Process
Building an Android Scale Incident Response ProcessPriyanka Aash
 

Was ist angesagt? (20)

Protect Your Enterprise - Check Point SandBlast Mobile
Protect Your Enterprise - Check Point SandBlast MobileProtect Your Enterprise - Check Point SandBlast Mobile
Protect Your Enterprise - Check Point SandBlast Mobile
 
Sophos Utm Presentation 2016
Sophos Utm Presentation 2016Sophos Utm Presentation 2016
Sophos Utm Presentation 2016
 
Secure Mobility from GGR Communications
Secure Mobility from GGR CommunicationsSecure Mobility from GGR Communications
Secure Mobility from GGR Communications
 
M86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web GatewayM86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web Gateway
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application Attacks
 
CYBER THREAT ASSESSMENT
CYBER THREAT ASSESSMENTCYBER THREAT ASSESSMENT
CYBER THREAT ASSESSMENT
 
The Anatomy of Comment Spam
The Anatomy of Comment SpamThe Anatomy of Comment Spam
The Anatomy of Comment Spam
 
Swascan Cyber Security Testing Platform
Swascan Cyber Security Testing PlatformSwascan Cyber Security Testing Platform
Swascan Cyber Security Testing Platform
 
Estratégia de segurança da Cisco (um diferencial para seus negócios)
Estratégia de segurança da Cisco (um diferencial para seus negócios)Estratégia de segurança da Cisco (um diferencial para seus negócios)
Estratégia de segurança da Cisco (um diferencial para seus negócios)
 
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
 
Juniper idp overview
Juniper idp overviewJuniper idp overview
Juniper idp overview
 
Upwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile Malware
Upwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile MalwareUpwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile Malware
Upwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile Malware
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Brochure swascan ENG
Brochure swascan ENGBrochure swascan ENG
Brochure swascan ENG
 
Understanding Advanced Threats and How to Prevent Them
Understanding Advanced Threats and How to Prevent ThemUnderstanding Advanced Threats and How to Prevent Them
Understanding Advanced Threats and How to Prevent Them
 
Presentation cisco iron port e-mail security solution
Presentation cisco iron port e-mail security solutionPresentation cisco iron port e-mail security solution
Presentation cisco iron port e-mail security solution
 
IronPort
IronPortIronPort
IronPort
 
Level Up Your Security with Threat Intelligence
Level Up Your Security with Threat IntelligenceLevel Up Your Security with Threat Intelligence
Level Up Your Security with Threat Intelligence
 
Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report
 
Building an Android Scale Incident Response Process
Building an Android Scale Incident Response ProcessBuilding an Android Scale Incident Response Process
Building an Android Scale Incident Response Process
 

Ähnlich wie An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps

18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptxsundar110567
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsIBM Security
 
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Skycure
 
Android Malware Detection Literature Review
Android Malware Detection Literature ReviewAndroid Malware Detection Literature Review
Android Malware Detection Literature ReviewAhmed Sabbah
 
Cyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdfCyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdfNaveenKumar470500
 
Webinar remote access_no_vpn_pitfalls_111517
Webinar remote access_no_vpn_pitfalls_111517Webinar remote access_no_vpn_pitfalls_111517
Webinar remote access_no_vpn_pitfalls_111517Zscaler
 
Browser isolation (isc)2 may presentation v2
Browser isolation (isc)2 may presentation v2Browser isolation (isc)2 may presentation v2
Browser isolation (isc)2 may presentation v2Wen-Pai Lu
 
Mobile security and drozer tool demo
Mobile security and drozer tool demoMobile security and drozer tool demo
Mobile security and drozer tool demoGowthamraj Palani
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Denim Group
 
Eurecom уличили приложения для Android в тайной от пользователя активности
Eurecom уличили приложения для Android в тайной от пользователя активностиEurecom уличили приложения для Android в тайной от пользователя активности
Eurecom уличили приложения для Android в тайной от пользователя активностиSergey Ulankin
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectivePragati Rai
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Enterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceSPAN Infotech (India) Pvt Ltd
 
Securing the Enterprise with Application Aware Acceptable Use Policy
Securing the Enterprise with Application Aware Acceptable Use PolicySecuring the Enterprise with Application Aware Acceptable Use Policy
Securing the Enterprise with Application Aware Acceptable Use PolicyAllot Communications
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android AapplicationsRoshan Thomas
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Sangfor's Presentation.pdf
Sangfor's Presentation.pdfSangfor's Presentation.pdf
Sangfor's Presentation.pdfssusera76ea9
 
Droidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon Berlin
 
Every cloud cloud risk assessment 2018
Every cloud cloud risk assessment 2018Every cloud cloud risk assessment 2018
Every cloud cloud risk assessment 2018soniamcpherson11
 

Ähnlich wie An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps (20)

18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptx
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
 
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
 
Android Malware Detection Literature Review
Android Malware Detection Literature ReviewAndroid Malware Detection Literature Review
Android Malware Detection Literature Review
 
Cyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdfCyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdf
 
Cyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdfCyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdf
 
Webinar remote access_no_vpn_pitfalls_111517
Webinar remote access_no_vpn_pitfalls_111517Webinar remote access_no_vpn_pitfalls_111517
Webinar remote access_no_vpn_pitfalls_111517
 
Browser isolation (isc)2 may presentation v2
Browser isolation (isc)2 may presentation v2Browser isolation (isc)2 may presentation v2
Browser isolation (isc)2 may presentation v2
 
Mobile security and drozer tool demo
Mobile security and drozer tool demoMobile security and drozer tool demo
Mobile security and drozer tool demo
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
 
Eurecom уличили приложения для Android в тайной от пользователя активности
Eurecom уличили приложения для Android в тайной от пользователя активностиEurecom уличили приложения для Android в тайной от пользователя активности
Eurecom уличили приложения для Android в тайной от пользователя активности
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Enterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and compliance
 
Securing the Enterprise with Application Aware Acceptable Use Policy
Securing the Enterprise with Application Aware Acceptable Use PolicySecuring the Enterprise with Application Aware Acceptable Use Policy
Securing the Enterprise with Application Aware Acceptable Use Policy
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android Aapplications
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Sangfor's Presentation.pdf
Sangfor's Presentation.pdfSangfor's Presentation.pdf
Sangfor's Presentation.pdf
 
Droidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicro
 
Every cloud cloud risk assessment 2018
Every cloud cloud risk assessment 2018Every cloud cloud risk assessment 2018
Every cloud cloud risk assessment 2018
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Kürzlich hochgeladen (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps

  • 1. www.data61.csiro.au An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps Muhammad Ikram (UNSW, Data61, CSIRO) Narseo Vallina-Rodriguez (ICSI, IMDEA Networks) Suranga Seneviratne (Data61, CSIRO) Mohamed Ali Kaafar (Data61, CSIRO) Vern Paxson(UC Berkeley, ICSI)
  • 2. Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram Typical VPN Use Cases 2 VPN Tunnel • Geo-filtered content • Anti-surveillance • Censorship • Untrusted networks
  • 3. Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram Android VPN API • Available since Android ≧ 4.0 (Ice Cream Sandwich) • Highly sensitive API + Protected by BIND_VPN_SERVICE + Requires user’s direct action 3 - Users may not understand VPN technology - Lack of apps’ vetting process
  • 4. 4 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 5. 5 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram Are VPN Android apps trustworthy?
  • 6. 6 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram 1. Static Analysis 2. Network Measurements Approach
  • 7. Some salient results 7 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram • Malware presence • Traffic leak • Javascript injection and TLS interception 38% of VPN apps have malware presence (VirusTotal) 18% of VPN apps do not use encrypted tunnels 84% leak IPv6 traffic 66% leak DNS traffic 2 apps inject JavaScript code 4 apps implement TLS interception
  • 8. Agenda • VPN App Detection and Methodology • Passive Analysis • Network Measurements • Summary • Developer’s feedback 8 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 9. Methodology 9 Google Play Crawl (1.4M+ Apps) Static Analysis Network Measurements VPN App Detection and Classification Executables and metadata (apps description, reviews, etc) Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 10. 10 App Category # of apps found (N = 283) Free VPN apps with Free services 130 Free VPN apps with Premium services 153 Identified VPN App Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 11. Analyzed VPN Apps - Evolution 11 Android 4.0 release date Estimated Release Date Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 12. User installs and ratings 12 37% of apps > 500K installs 55% of apps > 4-star rating Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 13. Static Analysis 13 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 14. 67% of Android VPN apps claim privacy and security enhancement features 14 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 15. 3rd-party Tracking Libraries • 67% of VPN apps include 3rd-party tracking libraries 15 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 16. Malware Presence • Scanner: VirusTotal aggregator • AV-rank: number of AV tools reporting malware • 38% of VPN apps contain malware with 4% have AV-rank ≧ 5 16 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 17. Network Measurements 17 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 18. Testbed 18 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram Traffic manipulations
  • 19. • Tested manually each vantage point reported in the app • 18% of apps do not inform about the terminating end-point • 4% of VPN apps intercept traffic on localhost • 16% use vantage points hosted on residential networks (Spamhaus PBL) 19 Forwarding models 1lt.su Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 20. 20 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram USERS HAVE NO CONTROL! maxhane.com qudosteam.com
  • 21. Traffic leak 21 • 18% of apps do not use encrypted tunnels • 84% of VPN apps leak IPv6 traffic • 66% of VPN apps leaks DNS queries Users can be potentially subject to in-path modification, profiling, redirection, and censorship. Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 22. Adblocking and JavaScript Injection • DOM-based analysis • Top 30 Alexa sites, reference website and seven e-commerce sites 22 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 23. TLS Interception • Analysed certificates from 60 websites/domains • Apps compromise root store 23 Domain(port) Neopard DashVPN DashNet Packet Capture amazon.com ❌ ✅ ❌ ✅ gmail.com ✅ ✅ ✅ ✅ orcart.facebook.com (8883) ✅ ❌ ❌ ✅ bankofamerica.com ✅ ✅ ✅ ✅ hsbc.com ❌ ✅ ❌ ✅ Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 24. More details: 24 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 25. “And isn’t it ironic?” 25 • Do users care or know? • Manually analysed negative reviews (4.5K) (1- and 2-Stars) • < 1% of the negative reviews raised privacy and security concerns Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 26. Summary • 38% of apps have malware presence • 67% of apps have at least one third-party tracking library • 66% of VPN apps have DNS leakages and 84% have IPv6 Leakages • 2 VPN apps perform JS-injection for ads, tracking, and redirections • 4 VPN apps perform TLS interception 26 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 27. Developer Feedback and Reactions 27 “… Appflood [third-party library] was the best choice to monetize the app”. Now: ads- and tracking free app Confirmed JS-Injections for tracking users and showing their own advertisements Now: status quo Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram
  • 28. 28 November 2015 October 2016 Privacy and Security Risks of Android VPN Permission-enabled Apps | Muhammad Ikram “… we will promise these problems never occur again.” 15 AV-RANK 1 AV-RANK Developer Feedback and Reactions

Hinweis der Redaktion

  1. SITUATION: Normally, all static code analyses do not fully convey behavioral (or runtime) issues of Android apps. We aim to analyze runtime behavior and networking functionalities of VPN apps to further illuminate on security and privacy issues. ACTION: POINT 1 - To this end, we devised a test, as you can seen in the figure, that consist of testing device connects VPN endpoints (and internet) via dual WiFI AP. POINT 2 – To measure VPN app’s behavior and networking function, we collect data on testing device (DNS setting, TUN, original and changed IP addresses of testing device), VPN app ON and OFF scenarios, and WiFI AP (tcpdump). We also used Netalyzr for Android for network analysis of VPN apps. Using the the testbed, we performed more than 700 VPN apps installs and 5340 tests (connected to 5340 endpoints). RESULTS Our testbed revealed several interesting privacy and security related insights, grouped as: traffic interception and forwarding mechanisms, apps vulnerabilities/misconfigurations, traffic manipulation, and TLS-interceptions. [That I will explain in the next slides one by one.]
  2. SITUATION: To provide security and privacy, VPN apps resolve DNS traffic on their servers and modify host’s routing tables to enroute user traffic to its VPN servers. However, VPN developers may have miss-configuration and loop-holes in their source code. In other words, they may not fully enforce policies on host’s DNS resolution and routing tables thus exposing/leaking IPv6 and DNS traffic. We aim to illuminate on those leakages. ACTION: To this end, we tested each with our testbed. In the figure when VPN app is ON, an attacker (an open WiFi AP at Starbuck/airport or in this case our instrumented WiFi AP acts like passive man-in-the-middle) enforces DNS resolution and over-writes host’s VPN app DNS settings. RESULTS: [After explaining the third and fourth bullet] and explain that such leakage could expose user traffic to modification, user-profiling, and even to censorship.
  3. SITUATION: VPN apps may actively modify user traffic either by injecting or blocking content. We aim to detect VPN apps performing active traffic modifications – specifically JavaScript injection and adblocking. ACTION: [Very clear from the first three bullets] RESULTS: POINT 1 – Two apps, point to Secure Wireless and F-Secure Freedome VPN, blocks advertisements and analytics networks such as DoubleClick and Google Analytics. As we pointed out in our paper that their black list based approach result in usability issues – due to F-Secure Freedome VPN blocking of TagServices useful content such videos were not accessible on Nytimes. POINT 2 – From our analysis, we found out that two VPN apps, WiFi Protector and Hotspot Shield VPN, are injecting JavaScripts for tracking and advertisements purposes. Hotspot Shield VPN also use JavaScripts to redirect users to its affiliate ad-networks that we reported in our paper, in detail.
  4. SITUATION: VPN apps may target user HTTPS traffic for extensive user profiling or provision of specialized services such traffic acceleration and compression. We aim to identify all such apps. We are also interested to figure out whether these apps target perform TLS interception for all user traffic or aiming at some specific services such as Banks, IM, Emails or social networks. ACTION: For each analyzed VPN apps, we use OpenSSL and customized scripts to access 60 different websites/domains consist of OSN, banks, emails, and news services (detailed in our paper) from our testing device. For each website/domain, our customized scripts and OpenSSL result in SSL certificate chain that we analyzed with ICSI Notary to check the validity of certificate chain. RESULT: We found 4 apps are performing TLS interception. Packet Capture intercepting all HTTPS traffic whilst all other 3 VPN apps are focusing on shopping, banks, and social media traffic. Upon our enquires, Neopard’s developer confirmed that they are performing TLS interception for traffic acceleration and MARKET research – selling aggregate statistical data. [There are more interesting insights and we encourage you to read our paper.]
  5. SITUATION: Did our study impact on VPN apps ecosystem? ACTION: We shared our results with all the developers whose apps were explicitly discussed in the paper. We shared our findings and explained that presence certain intentional features or errors undermine user privacy and security. From 21st to 25th of October, we selectively tested VPN apps to confirm whether the developer made changes or not. RESULT: ip-shield VPN acknowledged that they used Appflood, a third-party tracking library, to maximize their revenue from targeted advertisements. They promised to stop this to ensure user privacy. We found out that the developer removed all third-party tracking and advertisement libraries from ip-shield VPN source code. Whilst WiFi Protector VPN also acknowledged our finding however still injecting JS for tracking and advertisement purposes.
  6. SITUATION: Did our study impact on VPN apps ecosystem? ACTION: We shared our results with all the developers whose apps were explicitly discussed in the paper. We shared our findings and explained that presence certain intentional features or errors undermine user privacy and security. On 7th of November, we tested VPN apps that have some malware in the source code to confirm whether the developer made changes or not. Figure on the left : VirusTotal Scan, dated on 7th November 2016, of the Betternet Free VPN’s APK that we analyzed in our paper Figure on the right : VirusTotal Scan, dated on 7th November 2016, of the Betternet Free VPN’s APK that we downloaded 22nd October, 2016. RESULT: Only one VPN developer took action and fulfilled promise to remove malware from its VPN app source code.