Abstract
Due to the increasing number of recommendations for people to use Virtual Private Networks (VPNs) to protect their privacy, more application developers are creating VPN applications and publishing them on the Apple App Store and Google Play Store. In this ‘gold rush’, applications are being developed quickly and, in turn, not being developed with security in mind.
This paper investigated a selection of VPN applications available on the Apple App Store (for iOS devices) and tested the applications for security and privacy issues. This includes testing for any traffic being transmitted over plain HTTP, DNS leakage and transmission of personally identifiable information (such as phone number, International Mobile Equipment Identity (IMEI), email address, MAC address) and evaluating the security of the tunneling protocol used by the VPN.
The testing methodology involved installing VPN applications on a test device, simulating network traffic for a pre-defined period of time and capturing the traffic. This allows for all traffic to be analysed to check for anything being sent without encryption. Other issues that often cause de-anonymization with VPN applications such as DNS leakage were also considered.
The research found several common security issues with VPN applications tested, with a large majority of applications still using HTTP and not HTTPS for transmitting certain data. A large majority of the VPN applications failed to route additional user data (such as DNS queries) through the VPN tunnel. Furthermore, just fifteen of the tested applications were found to have correctly implemented the best-recommended tunneling protocol for user security.
Outside of the regular testing criteria, other security anomalies were observed with specific applications, which included outdated servers with known vulnerabilities, applications giving themselves the ability to perform HTTPS interception and questionable privacy policies.
From the documented vulnerabilities, this research proposes a set of recommendations for developers to consider when developing VPN applications.
This paper investigated a selection of VPN applications available on the Apple App Store (for iOS devices) and tested the applications for security and privacy issues. This includes testing for any traffic being transmitted over plain HTTP, DNS leakage and transmission of personally identifiable information (such as phone number, International Mobile Equipment Identity (IMEI), email address, MAC address) and evaluating the security of the tunneling protocol used by the VPN.
The testing methodology involved installing VPN applications on a test device, simulating network traffic for a pre-defined period of time and capturing the traffic. This allows for all traffic to be analysed to check for anything being sent without encryption. Other issues that often cause de-anonymization with VPN applications such as DNS leakage were also considered.
The research found several common security issues with VPN applications tested, with a large majority of applications still using HTTP and not HTTPS for transmitting certain data. A large majority of the VPN applications failed to route additional user data (such as DNS queries) through the VPN tunnel. Furthermore, just fifteen of the tested applications were found to have correctly implemented the best-recommended tunneling protocol for user security.
Outside of the regular testing criteria, other security anomalies were observed with specific applications, which included outdated servers with known vulnerabilities, applications giving themselves the ability to perform HTTPS interception and questionable privacy policies.
From the documented vulnerabilities, this research proposes a set of recommendations for developers to consider when developing VPN applications.
| Original language | English |
|---|---|
| Title of host publication | ARES '20 |
| Subtitle of host publication | Proceedings of the 15th International Conference on Availability, Reliability and Security |
| Place of Publication | New York |
| Publisher | Association for Computing Machinery (ACM) |
| Number of pages | 9 |
| ISBN (Print) | 9781450388337 |
| DOIs | |
| Publication status | Published - 25 Aug 2020 |
| Event | 15th International Conference on Availability, Reliability and Security - Virtual Event, Ireland Duration: 25 Aug 2020 → 28 Aug 2020 https://www.ares-conference.eu/conference-2020/ |
Conference
| Conference | 15th International Conference on Availability, Reliability and Security |
|---|---|
| Abbreviated title | ARES 2020 |
| Country/Territory | Ireland |
| Period | 25/08/20 → 28/08/20 |
| Internet address |
Keywords
- Mobile applications
- Security vulnerabilities
- Privacy
- Virtual Private Network
- VPN
- iOS