[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3407023.3407029acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article

Investigation into the security and privacy of iOS VPN applications

Published: 25 August 2020 Publication History

Abstract

Due to the increasing number of recommendations for people to use Virtual Private Networks (VPNs) to protect their privacy, more application developers are creating VPN applications and publishing them on the Apple App Store and Google Play Store. In this 'gold rush', applications are being developed quickly and, in turn, not being developed with security in mind.
This paper investigated a selection of VPN applications available on the Apple App Store (for iOS devices) and tested the applications for security and privacy issues. This includes testing for any traffic being transmitted over plain HTTP, DNS leakage and transmission of personally identifiable information (such as phone number, International Mobile Equipment Identity (IMEI), email address, MAC address) and evaluating the security of the tunneling protocol used by the VPN.
The testing methodology involved installing VPN applications on a test device, simulating network traffic for a pre-defined period of time and capturing the traffic. This allows for all traffic to be analysed to check for anything being sent without encryption. Other issues that often cause de-anonymization with VPN applications such as DNS leakage were also considered.
The research found several common security issues with VPN applications tested, with a large majority of applications still using HTTP and not HTTPS for transmitting certain data. A large majority of the VPN applications failed to route additional user data (such as DNS queries) through the VPN tunnel. Furthermore, just fifteen of the tested applications were found to have correctly implemented the best-recommended tunneling protocol for user security.
Outside of the regular testing criteria, other security anomalies were observed with specific applications, which included outdated servers with known vulnerabilities, applications giving themselves the ability to perform HTTPS interception and questionable privacy policies.
From the documented vulnerabilities, this research proposes a set of recommendations for developers to consider when developing VPN applications.

References

[1]
Google. 2018. VPN. Retrieved 11 April, 2018 from https://trends.google.com/trends/explore?date=2010-11-04%202018-04-11&q=VPN.
[2]
Eddy, M. 2019. What Is a VPN, and Why You Need One. PCMag. Retrieved from https://uk.pcmag.com/features/88655/what-is-a-vpn-and-why-you-need-one
[3]
Ridley-Siegert, T. Data privacy: What the consumer really thinks. Journal of Direct, Data and Digital Marketing Practice, 17, 1 (2015), 30--35.
[4]
Ikram, M., Vallina-Rodriguez, N., Seneviratne, S., Kaafar, M. A. and Paxson, V. An analysis of the privacy and security risks of android vpn permission-enabled apps. City, 2016.
[5]
ICO What Is Personal Data?-a Quick Reference Guide (2012).
[6]
Perta, V. C., Barbera, M. V., Tyson, G., Haddadi, H. and Mei, A. A glance through the VPN looking glass: IPv6 leakage and DNS hijacking in commercial VPN clients. Proceedings on Privacy Enhancing Technologies, 2015, 1 (2015), 77--91.
[7]
dnsleaktest. 2018. What is a DNS leak and why should I care? Retrieved 3 March, 2018 from https://www.dnsleaktest.com/what-is-a-dns-leak.html.
[8]
Apple. 2018. Intro to VPN with Apple devices. Retrieved February 28, 2018 from https://support.apple.com/en-gb/guide/deployment-reference-ios/ior9f7b5ff26/web.
[9]
Barker, E., Dang, Q., Frankel, S., Scarfone, K. and Wouters, P. Guide to IPsec VPNs. National Institute of Standards and Technology, 2019.
[10]
Kaufman, C., Hoffman, P., Nir, Y., Eronen, P. and Kivinen, T. Internet key exchange protocol version 2 (lKEv2). RFC 5996, September, 2010.
[11]
Townsley, W., Valencia, A., Rubens, A., Pall, G., Zorn, G. and Palter, B. RFC2661: Layer Two Tunneling Protocol" L2TP" (1999).
[12]
Patel, B., Aboba, B., Dixon, W., Zorn, G. and Booth, S. RFC3193: Securing L2TP using IPsec (2001).
[13]
Hoffman, P. SSL VPNs: An IETF Perspective (2008).
[14]
Bui, T., Rao, S., Antikainen, M. and Aura, T. Client-Side Vulnerabilities in Commercial VPNs. Springer, City, 2019.
[15]
Li, J. Design of authentication protocols preventing replay attacks. 2009 International Conference on Future BioMedical Information Engineering (FBIE) (2009), 362--365.
[16]
McLuskie, D. and Belleken, X. 2018. X. 509 certificate error testing. In Proceedings of Proceedings of the 13th International Conference on Availability, Reliability and Security. Hamburg, Germany, 1--8.
[17]
Rajakumar, J. and Subrahmanya, K. Overview of TLS Certificate Revocation Mechanisms. International Journal of Advanced Research in Computer Science, 10, 3 (2019).
[18]
Dordal, P. L. The Dark Web. Cyber Criminology (2018), 95--117.
[19]
Irvine, R. 2018. Stay 100% Anonymous VPNs The Ultimate Guide. WebUser, 443, 40--46. Retrieved from
[20]
GoldenFrog. 2018. Privacy Policy. Retrieved 28 February, 2018 from https://www.goldenfrog.com/privacy.
[21]
Ah Kioon, M. C., Wang, Z. S. and Deb Das, S. Security analysis of md5 algorithm in password storage. Applied Mechanics and Materials, 347 (2013), 2706--2711.
[22]
Tancredi, D. 2016. How Apple's Mandatory iOS App Transport Security (ATS) change will affect you. Retrieved 28 February, 2018 from https://appdevelopermagazine.com/how-apple%27s-mandatory-ios-app-transport-security-(ats)-change-will-affect-you/.
[23]
Lord, N. The history of data breaches. Digital Guardian (2017).

Cited By

View all
  • (2023)Privacy risk analysis and metrics in capturing and storing network traffic2023 24th International Conference on Control Systems and Computer Science (CSCS)10.1109/CSCS59211.2023.00097(580-585)Online publication date: May-2023
  • (2023)MVDroid: an android malicious VPN detector using neural networksNeural Computing and Applications10.1007/s00521-023-08512-135:29(21555-21565)Online publication date: 3-Apr-2023
  1. Investigation into the security and privacy of iOS VPN applications

      Recommendations

      Comments

      Please enable JavaScript to view thecomments powered by Disqus.

      Information & Contributors

      Information

      Published In

      cover image ACM Other conferences
      ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security
      August 2020
      1073 pages
      ISBN:9781450388337
      DOI:10.1145/3407023
      • Program Chairs:
      • Melanie Volkamer,
      • Christian Wressnegger
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 25 August 2020

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. VPN
      2. iOS
      3. mobile
      4. privacy
      5. security
      6. virtual private network

      Qualifiers

      • Research-article

      Conference

      ARES 2020

      Acceptance Rates

      Overall Acceptance Rate 228 of 451 submissions, 51%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)89
      • Downloads (Last 6 weeks)12
      Reflects downloads up to 14 Dec 2024

      Other Metrics

      Citations

      Cited By

      View all
      • (2023)Privacy risk analysis and metrics in capturing and storing network traffic2023 24th International Conference on Control Systems and Computer Science (CSCS)10.1109/CSCS59211.2023.00097(580-585)Online publication date: May-2023
      • (2023)MVDroid: an android malicious VPN detector using neural networksNeural Computing and Applications10.1007/s00521-023-08512-135:29(21555-21565)Online publication date: 3-Apr-2023

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media