An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps

VPN

Muhammad Ikram, Narseo Vallina-Rodriguez,Vern Paxson
CSIRO, ICSI UCBerkeley, IMC'16
研究了Google Play上283个安卓VPN软件的隐私和安全问题，潜在的问题有植入第三方库、不安全的VPN隧道、IPv6 dns泄漏、流量修改等

第三方库 user tracking
malware
流量拦截模式
协议问题和信息泄露
in-path proxis and traffic manipulation
TLS中间人

Android VPN Permission

系统权限 BIND_VPN_SERVICE from 4.0
虚拟网络接口：
读 - 获得数据包
写 - 注入数据包
在同一时间只能有一个app占用该接口

Custom VPN permission
Mobile Device Management

Discovering VPN Apps on Goolge Play

AndroidManifest

APK downloader
Google Play search：

• key word： "vpn","virtual
  private network","security","censorship,"anonymity or
  "privacy"
• similar same developer

2015年九月，3个星期，283/1,488,811

premium app没有全部分析的原因是需要专门的IT和云支持
写论文时（2016.8）发现283个app中的49已经不在Google Play中了(审查、用户投诉、开发者)

Qihoo360,Dr.Web Security Space,Trend Micro Mobile Security & Antivirus
NoRoot Firewall
Fast Secure payment

Static Analysis

apktool
权限、track library、malware analysis、user awareness

Network Measurements

VPN Protocols and Traffic Leaks

unencrypted:TCP端口转发、HTTP

TLS interception

We instrumented our Android device with OpenSSL so
that we can capture a copy of the SSL/TLS server certificate
when accessing more than 60 popular services operating
over SSL including HTTPS, SMTP over TLS, and POP3
over TLS.

使用ICSI Certificate Notary来验证证书，基于Mozilla root store

4个VPN app使用自签名的证书主动拦截TLS。 抓包/节省流量/加速/VPN

Packet Capture：
Neopard:隐私策略，“perform mobile usage reviews
for market studies”
DashVPN DashNet:没有告知用户拦截TLS的用意

Limitations & Future Work

1. free apps from Google play
2. root权限的应用 需要更多的静态分析
3. 敏感权限的使用分析(读log、短信)
4. peer forwarding