Jack Wilson
David McLuskie
ABSTRACT
Due to the increasing number of recommendations for people to use Virtual Private Networks (VPNs) to protect their privacy, more application developers are creating VPN applications and publishing them on the Apple App Store and Google Play Store. In this 'gold rush', applications are being developed quickly and, in turn, not being developed with security in mind.
This paper investigated a selection of VPN applications available on the Apple App Store (for iOS devices) and tested the applications for security and privacy issues. This includes testing for any traffic being transmitted over plain HTTP, DNS leakage and transmission of personally identifiable information (such as phone number, International Mobile Equipment Identity (IMEI), email address, MAC address) and evaluating the security of the tunneling protocol used by the VPN.
The testing methodology involved installing VPN applications on a test device, simulating network traffic for a pre-defined period of time and capturing the traffic. This allows for all traffic to be analysed to check for anything being sent without encryption. Other issues that often cause de-anonymization with VPN applications such as DNS leakage were also considered.
The research found several common security issues with VPN applications tested, with a large majority of applications still using HTTP and not HTTPS for transmitting certain data. A large majority of the VPN applications failed to route additional user data (such as DNS queries) through the VPN tunnel. Furthermore, just fifteen of the tested applications were found to have correctly implemented the best-recommended tunneling protocol for user security.
Outside of the regular testing criteria, other security anomalies were observed with specific applications, which included outdated servers with known vulnerabilities, applications giving themselves the ability to perform HTTPS interception and questionable privacy policies.
From the documented vulnerabilities, this research proposes a set of recommendations for developers to consider when developing VPN applications.
- Google. 2018. VPN. Retrieved 11 April, 2018 from https://trends.google.com/trends/explore?date=2010-11-04%202018-04-11&q=VPN.Google Scholar
- Eddy, M. 2019. What Is a VPN, and Why You Need One. PCMag. Retrieved from https://uk.pcmag.com/features/88655/what-is-a-vpn-and-why-you-need-oneGoogle Scholar
- Ridley-Siegert, T. Data privacy: What the consumer really thinks. Journal of Direct, Data and Digital Marketing Practice, 17, 1 (2015), 30--35.Google ScholarCross Ref
- Ikram, M., Vallina-Rodriguez, N., Seneviratne, S., Kaafar, M. A. and Paxson, V. An analysis of the privacy and security risks of android vpn permission-enabled apps. City, 2016.Google Scholar
- ICO What Is Personal Data?-a Quick Reference Guide (2012).Google Scholar
- Perta, V. C., Barbera, M. V., Tyson, G., Haddadi, H. and Mei, A. A glance through the VPN looking glass: IPv6 leakage and DNS hijacking in commercial VPN clients. Proceedings on Privacy Enhancing Technologies, 2015, 1 (2015), 77--91.Google ScholarCross Ref
- dnsleaktest. 2018. What is a DNS leak and why should I care? Retrieved 3 March, 2018 from https://www.dnsleaktest.com/what-is-a-dns-leak.html.Google Scholar
- Apple. 2018. Intro to VPN with Apple devices. Retrieved February 28, 2018 from https://support.apple.com/en-gb/guide/deployment-reference-ios/ior9f7b5ff26/web.Google Scholar
- Barker, E., Dang, Q., Frankel, S., Scarfone, K. and Wouters, P. Guide to IPsec VPNs. National Institute of Standards and Technology, 2019.Google Scholar
- Kaufman, C., Hoffman, P., Nir, Y., Eronen, P. and Kivinen, T. Internet key exchange protocol version 2 (lKEv2). RFC 5996, September, 2010.Google Scholar
- Townsley, W., Valencia, A., Rubens, A., Pall, G., Zorn, G. and Palter, B. RFC2661: Layer Two Tunneling Protocol" L2TP" (1999).Google ScholarDigital Library
- Patel, B., Aboba, B., Dixon, W., Zorn, G. and Booth, S. RFC3193: Securing L2TP using IPsec (2001).Google ScholarDigital Library
- Hoffman, P. SSL VPNs: An IETF Perspective (2008).Google Scholar
- Bui, T., Rao, S., Antikainen, M. and Aura, T. Client-Side Vulnerabilities in Commercial VPNs. Springer, City, 2019.Google ScholarCross Ref
- Li, J. Design of authentication protocols preventing replay attacks. 2009 International Conference on Future BioMedical Information Engineering (FBIE) (2009), 362--365.Google Scholar
- McLuskie, D. and Belleken, X. 2018. X. 509 certificate error testing. In Proceedings of Proceedings of the 13th International Conference on Availability, Reliability and Security. Hamburg, Germany, 1--8.Google Scholar
- Rajakumar, J. and Subrahmanya, K. Overview of TLS Certificate Revocation Mechanisms. International Journal of Advanced Research in Computer Science, 10, 3 (2019).Google Scholar
- Dordal, P. L. The Dark Web. Cyber Criminology (2018), 95--117.Google Scholar
- Irvine, R. 2018. Stay 100% Anonymous VPNs The Ultimate Guide. WebUser, 443, 40--46. Retrieved fromGoogle Scholar
- GoldenFrog. 2018. Privacy Policy. Retrieved 28 February, 2018 from https://www.goldenfrog.com/privacy.Google Scholar
- Ah Kioon, M. C., Wang, Z. S. and Deb Das, S. Security analysis of md5 algorithm in password storage. Applied Mechanics and Materials, 347 (2013), 2706--2711.Google ScholarCross Ref
- Tancredi, D. 2016. How Apple's Mandatory iOS App Transport Security (ATS) change will affect you. Retrieved 28 February, 2018 from https://appdevelopermagazine.com/how-apple%27s-mandatory-ios-app-transport-security-(ats)-change-will-affect-you/.Google Scholar
- Lord, N. The history of data breaches. Digital Guardian (2017).Google Scholar
Investigation into the security and privacy of iOS VPN applications
Recommendations
An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps
IMC '16: Proceedings of the 2016 Internet Measurement ConferenceMillions of users worldwide resort to mobile VPN clients to either circumvent censorship or to access geo-blocked content, and more generally for privacy and security purposes. In practice, however, users have little if any guarantees about the ...
Cross-Compiling Android Applications to iOS and Windows Phone 7
Android is currently leading the smartphone segment in terms of market share since its introduction in 2007. Android applications are written in Java using an API designed for mobile apps. Other smartphone platforms, such as Apple's iOS or Microsoft's ...
A First Look at On-device Models in iOS Apps
Powered by the rising popularity of deep learning techniques on smartphones, on-device deep learning models are being used in vital fields such as finance, social media, and driving assistance. Because of the transparency of the Android platform and the ...
Comments