Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps
Razer
g2s at riseup.net
Tue Oct 10 19:24:22 PDT 2017
A little old, but many of these "VPNs" are still probably insecure...
For the record, from August 2016:
> Millions of users worldwide resort to mobile VPN clients to either
> circumvent censorship or to access geo-blocked con-tent, and more
> generally for privacy and security purposes. In practice, however,
> users have little if any guarantees about the corresponding security
> and privacy settings, and perhaps no practical knowledge about the
> entities accessing their mobile traffic. In this paper we provide
> a first comprehensive analysis of 283 Android apps that use the
> Android VPN permission, which we extracted from a corpus of more than
> 1.4 million apps on the Google Play store.
>
> We perform a number of passive and active measurements designed to
> investigate a wide range of security and privacy features and to study
> the behavior of each VPN-based app. Our analysis includes
> investigation of possible malware presence, third-party library
> embedding, and traffic manipulation, as well as gauging user
> perception of the security and privacy of such apps. Our experiments
> reveal several instances of VPN apps that expose users to serious
> privacy and security vulnerabilities, such as use of insecure VPN
> tunneling protocols, as well as IPv6 and DNS traffic leakage. We
> also report on a number of apps actively performing TLS
> interception. Of particular concern are instances of apps that
> inject JavaScript programs for tracking, advertising, and for
> redirecting e-commerce traffic to external partners.
16 page pdf:
https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf
https://dl.acm.org/citation.cfm?doid=2987443.2987471
More information about the cypherpunks
mailing list