Investigation into the security and privacy of iOS VPN applications

Jack Wilson, David McLuskie, Ethan Bayne

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1024 Downloads (Pure)


Due to the increasing number of recommendations for people to use Virtual Private Networks (VPNs) to protect their privacy, more application developers are creating VPN applications and publishing them on the Apple App Store and Google Play Store. In this ‘gold rush’, applications are being developed quickly and, in turn, not being developed with security in mind.

This paper investigated a selection of VPN applications available on the Apple App Store (for iOS devices) and tested the applications for security and privacy issues. This includes testing for any traffic being transmitted over plain HTTP, DNS leakage and transmission of personally identifiable information (such as phone number, International Mobile Equipment Identity (IMEI), email address, MAC address) and evaluating the security of the tunneling protocol used by the VPN.

The testing methodology involved installing VPN applications on a test device, simulating network traffic for a pre-defined period of time and capturing the traffic. This allows for all traffic to be analysed to check for anything being sent without encryption. Other issues that often cause de-anonymization with VPN applications such as DNS leakage were also considered.

The research found several common security issues with VPN applications tested, with a large majority of applications still using HTTP and not HTTPS for transmitting certain data. A large majority of the VPN applications failed to route additional user data (such as DNS queries) through the VPN tunnel. Furthermore, just fifteen of the tested applications were found to have correctly implemented the best-recommended tunneling protocol for user security.

Outside of the regular testing criteria, other security anomalies were observed with specific applications, which included outdated servers with known vulnerabilities, applications giving themselves the ability to perform HTTPS interception and questionable privacy policies.

From the documented vulnerabilities, this research proposes a set of recommendations for developers to consider when developing VPN applications.
Original languageEnglish
Title of host publicationARES '20
Subtitle of host publicationProceedings of the 15th International Conference on Availability, Reliability and Security
Place of PublicationNew York
PublisherAssociation for Computing Machinery (ACM)
Number of pages9
ISBN (Print)9781450388337
Publication statusPublished - 25 Aug 2020
Event15th International Conference on Availability, Reliability and Security - Virtual Event, Ireland
Duration: 25 Aug 202028 Aug 2020


Conference15th International Conference on Availability, Reliability and Security
Abbreviated titleARES 2020
Internet address


  • Mobile applications
  • Security vulnerabilities
  • Privacy
  • Virtual Private Network
  • VPN
  • iOS


Dive into the research topics of 'Investigation into the security and privacy of iOS VPN applications'. Together they form a unique fingerprint.

Cite this