Show simple item record

An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps

dc.contributor.authorIkram, Muhammad
dc.contributor.authorVallina-Rodriguez, Narseo 
dc.contributor.authorSeneviratne, Suranga
dc.contributor.authorKaafar, Mohamed Ali
dc.contributor.authorPaxson, Vern
dc.date.accessioned2021-07-13T09:28:15Z
dc.date.available2021-07-13T09:28:15Z
dc.date.issued2016-11-14
dc.identifier.citation1 Alexa Top 500 Websites. http://www.alexa.com/topsites. 2 Android Permissions. http://developer.android.com/guide/topics/security/permissions.html. 3 Application Fundamentals. http://developer.android.com/guide/components/fundamentals.html. 4 Archie VPN. https://play.google.com/store/apps/details?id=com.lausny.archievpnfree.go. 5 Cisco AnyConnect. https://play.google.com/store/apps/details?id=com.cisco.anyconnect.vpn.android.avf. 6 CM Data Manager - Speed Test. https://play.google.com/store/apps/details?id=com.cmcm.flowmonitor. 7 CrossVpn. https://play.google.com/store/apps/details?id=com.goodyes.vpn.cn. 8 Cyberghost - free vpn & proxy. https://play.google.com/store/apps/details?id=de.mobileconcepts.cyberghost. 9 Dash Net Accelerated VPN . https://play.google.com/store/apps/details?id=com.actmobile.dashnet. 10 Dash VPN | Dash Office - Speed Test. http://dashoffice.com/dash-vpn/. 11 DNSet. https://play.google.com/store/apps/details?id=com.dnset. 12 DroidVPN - Android VPN. https://play.google.com/store/apps/details?id=com.aed.droidvpn. 13 Dr.Web Security Space. https://play.google.com/store/apps/details?id=com.drweb.pro. 14 EasyOvpn - Plugin for OpenVPN. https://play.google.com/store/apps/details?id=com.easyovpn.easyovpn. 15 EasyVpn. https://play.google.com/store/apps/details?id=yujia.easyvpn. 16 F-Secure Freedome Anti-Tracking Feature Explained. https://community.f-secure.com/t5/F-Secure/F-Secure-Freedome-Anti-Tracking/ta-p/52153. 17 Fast Secure Payment Service. https://play.google.com/store/apps/details?id=com.lausny.ocvpnaio.pay. 18 FlashVPN Free VPN Proxy. https://play.google.com/store/apps/details?id=net.flashsoft.flashvpn.activity. 19 Free VPN Proxy by Betternet. https://play.google.com/store/apps/details?id=com.freevpnintouch. 20 Good. Mobile Device Management (MDM). https://www1.good.com/secure-mobility-solution/mobile-device-management.html. 21 Google Play Unofficial Python API. https://github.com/egirault/googleplay-api. 22 HatVPN. https://play.google.com/store/apps/details?id=mobi.hatvpn. 23 HideMyAss! Pro VPN for Android. https://play.google.com/store/apps/details?id=com.hidemyass.hidemyassprovpn. 24 Hola Free VPN Proxy. https://play.google.com/store/apps/details?id=org.hola. 25 Hotspot Shield Advertising. http://www.anchorfree.com/advertise.php. 26 Hotspot Shield Free VPN Proxy. https://play.google.com/store/apps/details?id=hotspotshield.android.vpn. 27 ip-shield VPN. https://play.google.com/store/apps/details?id=com.ipshield.app. 28 Junos Pulse. https://play.google.com/store/apps/details?id=net.juniper.junos.pulse.android&hl=en. 29 Knox Standard SDK. https://seap.samsung.com/sdk/knox-standard-android. 30 Mobile Security & Antivirus. https://play.google.com/store/apps/details?id=com.trendmicro.tmmspersonal. 31 NEOPARD. http://https://play.google.com/store/apps/details?id=com.exalinks.neopard/. 32 Neopard Privacy Policy. http://neopard-mobile.com/en/about/privacy/. 33 NeoRouter VPN Mesh. https://play.google.com/store/apps/details?id=com.neorouter.androidmesh. 34 NoRoot Firewall. https://play.google.com/store/apps/details?id=app.greyshirts.firewall. 35 OkVpn. https://play.google.com/store/apps/details?id=yujia.okvpn. 36 One Click VPN. https://play.google.com/store/apps/details?id=com.lausny.ocvpn. 37 Open Gate. https://play.google.com/store/apps/details?id=com.btzsoft.vpnclient. 38 Orbot: Proxy with Tor. https://play.google.com/store/apps/details?id=org.torproject.android. 39 Packet Capture. https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture. 40 pcap-parser (0.5.8). https://pypi.python.org/pypi/pcap-parser/0.5.8. 41 Private WiFi. https://play.google.com/store/apps/details?id=com.privatewifi.pwf.hybrid. 42 Qihoo 360. https://play.google.com/store/apps/details?id=com.qihoo360.mobilesafe. 43 Raccon APK Downloader. http://www.onyxbits.de/raccoon. 44 Rocket VPN - Internet Freedom. https://play.google.com/store/apps/details?id=com.liquidum.rocketvpn. 45 Samsung KNOX. Partnering with Samsung. https://www.samsungknox.com/en/partners. 46 Security with HTTPS and SSL. http://developer.android.com/training/articles/security-ssl.html. 47 Selendroid: Selenium for Android. http://www.selendroid.io. 48 sFly Network Booster, Adblocker. https://play.google.com/store/apps/details?id=com.cdnren.sfly. 49 Spamhaus PBL. http://www.spamhaus.org/pbl/. 50 Spotflux VPN. https://play.google.com/store/apps/details?id=com.spotflux.android. 51 StrongVPN OpenVPN Client. https://play.google.com/store/apps/details?id=com.strongvpn. 52 SuperVPN. https://play.google.com/store/apps/details?id=com.SuperVPN_Q0102_21. 53 SurfEasy Secure Android VPN. https://play.google.com/store/apps/details?id=com.surfeasy. 54 tigerVPN - Privacy Defender. https://play.google.com/store/apps/details?id=com.tigeratwork.tigervpn. 55 Tigervpns Free VPN and Proxy. https://play.google.com/store/apps/details?id=com.tigervpns.android. 56 TorGuard VPN. https://play.google.com/store/apps/details?id=net.torguard.openvpn.client. 57 VirusTotal. https://www.virustotal.com. 58 VPN Free. https://play.google.com/store/apps/details?id=com.couxin.GroxNetwork. 59 VPN Gate. https://play.google.com/store/apps/details?id=com.lausny.vpngate. 60 VPN Service Documentation. http://developer.android.com/reference/android/net/VpnService.html. 61 VPNSecure OpenVPN VPN Proxy. https://play.google.com/store/apps/details?id=com.vpnsecure.pty.ltd. 62 VPN 63 TOR 64 Cloud VPN Globus Pro! https://play.google.com/store/apps/details?id=com.globus.vpn. 65 VyprVPN Free VPN for Privacy. https://play.google.com/store/apps/details?id=com.goldenfrog.vyprvpn.app. 66 WiFi Protector VPN. https://play.google.com/store/apps/details?id=com.wifiprotector.android. 67 M. Allman. Comments on bufferbloat. SIGCOMM CCR, 2013. 68 Android developer documentation. KeyChain. https://developer.android.com/reference/android/security/KeyChain.html#createInstallIntent(). 69 J. Appelbaum, M. Ray, I. Finder, and K. Koscher. vpwns: Virtual Pwned Networks. In USENIX FOCI, 2012. 70 D. Arp, M. Spreitzenbarth, H. Gascon, and K. Rieck. Drebin: Effective and Explainable Detection of Android Malware in Your Pocket. In NDSS, 2014. 71 K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: Analyzing the Android Permission Specification. In ACM CCS, 2012. 72 T. Bl\"asing, L. Batyuk, A.-D. Schmidt, S. A. Camtepe, and S. Albayrak. An Android Application Sandbox System for Suspicious Software Detection. In IEEE MALWARE, 2010. 73 A. Bose, X. Hu, K. G. Shin, and T. Park. Behavioral Detection of Malware on Mobile Handsets. In ACM MobiSys, 2008. 74 I. Castro, J. C. Cardona, S. Gorinsky, and P. Francois. Remote Peering: More Peering Without Internet Flattening. In ACM CoNEXT, 2014. 75 T. Chen, I. Ullah, M. A. Kaafar, and R. Boreli. Information Leakage Through Mobile Analytics Services. In ACM MobiSys, 2014. 76 P. H. Chia, Y. Yamamoto, and N. Asokan. Is this App Safe?: A Large Scale Study on Application Permissions and Risk Signals. In ACM WWW, 2012. 77 D. Crawford. PPTP vs L2TP vs OpenVPN vs SSTP vs IKEv2. https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs-sstp-vs-ikev2/. 78 W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information Flow Tracking System for Real-Time Privacy Monitoring on Smartphones. CACM, 2014. 79 S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith. Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In ACM CCS, 2012. 80 A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In ACM CCS, 2011. 81 A. Gorla, I. Tavecchia, F. Gross, and A. Zeller. Checking App Behavior Against App Descriptions. In ICSE, 2014. 82 C. Haschek. Where are free proxies free? https://blog.haschek.at/post/fd9bc. 83 P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These Aren't the Droids You're Looking for: Retrofitting Android to Protect Data from Imperious Applications. In ACM CCS, 2011. 84 M. Ikram, H. J. Asghar, M. A. Kaafar, B. Krishnamurthy, and A. Mahanti. Towards Seamless Tracking-Free Web: Improved Detection of Trackers via One-class Learning. In PETs, 2017. 85 J. Jeon, K. K. Micinski, J. A. Vaughan, A. Fogel, N. Reddy, J. S. Foster, and T. Millstein. Dr. Android and Mr. Hide: Fine-grained Permissions in Android Applications. In ACM SPSM, 2012. 86 A. Kantchelian, M. C. Tschantz, S. Afroz, B. Miller, V. Shankar, R. Bachwani, A. D. Joseph, and J. D. Tygar. Better Malware Ground Truth: Techniques for Weighting Anti-Virus Vendor Labels. In AISec, 2015. 87 A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and E. Kirda. Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks. In DIMVA, 2015. 88 S. Khattak, D. Fifield, S. Afroz, M. Javed, S. Sundaresan, V. Paxson, S. J. Murdoch, and D. McCoy. Do You See What I See? Differential Treatment of Anonymous Users. In NDSS, 2016. 89 S. Khattak, M. Javed, S. A. Khayam, Z. A. Uzmi, and V. Paxson. A Look at the Consequences of Internet Censorship Through an ISP Lens. In ACM IMC, 2014. 90 H. Kim, J. Smith, and K. G. Shin. Detecting Energy-Greedy Anomalies and Mobile Malware Variants. In ACM MobiSys, 2008. 91 C. Kreibich, N. Weaver, B. Nechaev, and V. Paxson. Netalyzr: Illuminating the Edge Network. In ACM IMC, 2010. 92 A. Le, J. Varmarken, S. Langhoff, A. Shuba, M. Gjoka, and A. Markopoulou. AntMonitor: A System for Monitoring from Mobile Devices. In ACM (C2B(I)D), 2015. 93 I. Leontiadis, C. Efstratiou, M. Picone, and C. Mascolo. Don't Kill my Ads!: Balancing Privacy in an Ad-supported Mobile Application Market. In ACM HotMobile, 2012. 94 MaxMind. https://www.maxmind.com. 95 R. Nithyanand, S. Khattak, M. Javed, N. Vallina-Rodriguez, M. Falahrastegar, J. E. Powles, E. De Cristofaro, H. Haddadi, and S. J. Murdoch. Ad-blocking and counter blocking: A slice of the arms race. FOCI, 2016. 96 V. Paxson. Bro: a System for Detecting Network Intruders in Real-Time. Computer Networks, 1999. 97 V. C. Perta, M. V. Barbera, G. Tyson, H. Haddadi, and A. Mei. A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN Clients. PETS, 2015. 98 I. Poese, S. Uhlig, M. A. Kaafar, B. Donnet, and B. Gueye. IP geolocation databases: Unreliable? ACM SIGCOMM CCR, 2011. 99 A. Razaghpanah, N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, P. Gill, M. Allman, and V. Paxson. Haystack: In Situ Mobile Traffic Analysis in User Space. arXiv preprint arXiv:1510.01419, 2015. 100 C. Reis, S. Gribble, T. Kohno, and N. Weaver. Detecting In-Flight Page Changes with Web Tripwires. In NSDI, 2008. 101 Rescorla, Eric and Modadugu, Nagendra. Datagram Transport Layer Security (RFC4347). https://tools.ietf.org/html/rfc4347. 102 F. Roesner, T. Kohno, A. Moshchuk, B. Parno, H. J. Wang, and C. Cowan. User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems. In IEEE S&P, 2012. 103 Samsung KNOX. https://www.samsungknox.com/en. 104 A.-D. Schmidt, F. Peters, F. Lamour, C. Scheel, S. A. Çamtepe, and Ş. Albayrak. Monitoring Smartphones for Anomaly Detection. Mobile Networks and Applications, 2009. 105 S. Seneviratne, H. Kolamunna, and A. Seneviratne. A Measurement Study of Tracking in Paid Mobile Applications. In ACM WiSec, 2015. 106 A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, and Y. Weiss."Andromaly": A Behavioral Malware Detection Framework for Android Devices. JIIS, 2012. 107 S. Shekhar, M. Dietz, and D. S. Wallach. AdSplit: Separating Smartphone Advertising from Applications. In USENIX Sec, 2012. 108 Y. Song and U. Hengartner. PrivacyGuard: A VPN-based Platform to Detect Information Leakage on Android Devices. In ACM SPSM, 2015. 109 N. Vallina-Rodriguez, J. Amann, C. Kreibich, N. Weaver, and V. Paxson. A Tangled Mass: The Android Root Certificate Stores. In ACM CoNEXT, 2014. 110 N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, and V. Paxson. Header Enrichment or ISP Enrichment? Emerging Privacy Threats in Mobile Networks. In ACM HotMiddlebox, 2015. 111 N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, N. Weaver, and V. Paxson. Beyond the Radio: Illuminating the Higher Layers of Mobile Networks. In ACM MobiSys, 2015. 112 N. Weaver, C. Kreibich, M. Dam, and V. Paxson. Here Be Web Proxies. In PAM, 2014. 113 N. Weaver, C. Kreibich, and V. Paxson. Redirecting Dns for Ads and Profit, 2011. 114 L.-K. Yan and H. Yin. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In USENIX Security, 2012. 115 Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In IEEE S&P, 2012. 116 Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming Information stealing Smartphone Applications (on Android). In TRUST, 2011.
dc.identifier.urihttp://hdl.handle.net/20.500.12761/309
dc.description.abstractMillions of users worldwide resort to mobile VPN clients to either circumvent censorship or to access geo-blocked content, and more generally for privacy and security purposes. In practice, however, users have little if any guarantees about the corresponding security and privacy settings, and perhaps no practical knowledge about the entities accessing their mobile traffic. In this paper we provide a first comprehensive analysis of 283 Android apps that use the Android VPN permission, which we extracted from a corpus of more than 1.4 million apps on the Google Play store. We perform a number of passive and active measurements designed to investigate a wide range of security and privacy features and to study the behavior of each VPN-based app. Our analysis includes investigation of possible malware presence, third-party library embedding, and traffic manipulation, as well as gauging user perception of the security and privacy of such apps. Our experiments reveal several instances of VPN apps that expose users to serious privacy and security vulnerabilities, such as use of insecure VPN tunneling protocols, as well as IPv6 and DNS traffic leakage. We also report on a number of apps actively performing TLS interception. Of particular concern are instances of apps that inject JavaScript programs for tracking, advertising, and for redirecting e-commerce traffic to external partners.
dc.language.isoeng
dc.titleAn Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Appsen
dc.typeconference object
dc.conference.date14-16 November 2016
dc.conference.placeSanta Monica, CA, USA
dc.conference.titleThe 16th ACM Internet Measurement Conference 2016 (ACM IMC 2016)*
dc.event.typeconference
dc.pres.typepaper
dc.type.hasVersionVoR
dc.rights.accessRightsopen access
dc.page.final364
dc.page.initial349
dc.description.refereedTRUE
dc.description.statuspub
dc.eprint.idhttp://eprints.networks.imdea.org/id/eprint/1505


Files in this item

Name:
Analysis_Privacy_Security_Risk ...
Size:
1.580Mb
Format:
PDF

This item appears in the following Collection(s)

Show simple item record