an analysis of the privacy and security risks of android ... · android vpn permission-enabled apps...
TRANSCRIPT
www.data61.csiro.au
AnAnalysisofthePrivacyandSecurityRisksofAndroidVPNPermission-enabledAppsMuhammadIkram(UNSW,Data61,CSIRO)NarseoVallina-Rodriguez(ICSI,IMDEANetworks)SurangaSeneviratne(Data61,CSIRO)MohamedAliKaafar(Data61,CSIRO)VernPaxson(UCBerkeley,ICSI)
PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
TypicalVPNUseCases
2
VPNTunnel
• Geo-filteredcontent• Anti-surveillance• Censorship• Untrustednetworks
PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
AndroidVPNAPI• AvailablesinceAndroid≧ 4.0(IceCreamSandwich)• HighlysensitiveAPI
+ ProtectedbyBIND_VPN_SERVICE+ Requiresuser’sdirectaction
3
- UsersmaynotunderstandVPNtechnology- Lackofapps’vettingprocess
4 PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
5 PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
AreVPNAndroidappstrustworthy?
6 PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
1.StaticAnalysis
2.NetworkMeasurements
Approach
Somesalientresults
7 PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
•Malwarepresence• Trafficleak• JavascriptinjectionandTLSinterception
38%ofVPNappshavemalwarepresence(VirusTotal)18%ofVPNappsdonotuseencryptedtunnels
84%leakIPv6traffic66%leakDNStraffic
2appsinjectJavaScriptcode4appsimplementTLSinterception
Agenda
• VPNAppDetectionandMethodology
• PassiveAnalysis
• NetworkMeasurements
• Summary
• Developer’sfeedback
8 PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
Methodology
9
Google Play Crawl (1.4M+ Apps) Static
AnalysisNetwork
Measurements
VPNAppDetectionandClassification
Executablesandmetadata(appsdescription,reviews,etc)
PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
10
AppCategory #ofappsfound(N=283)
FreeVPNappswithFreeservices 130
FreeVPNappswithPremiumservices 153
IdentifiedVPNApp
PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
AnalyzedVPNApps- Evolution
11
Android4.0releasedate
Estimated ReleaseDate
PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
Userinstallsandratings
12
37%ofapps>500Kinstalls
55%ofapps>4-starrating
PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
StaticAnalysis
13 PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
67%ofAndroidVPNappsclaimprivacyandsecurityenhancementfeatures
14 PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
AccesstoSensitiveDataandResources
• 82%oftheVPNappsrequestsensitivepermissions
• READ_LOGS(14%)
• READ_SMS(6%)
• READ_CONTACTS(6%)
• WRITE_SMS(4%)
15 PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
Limitation:istheuseofthosepermissionslegitimate?
3rd-partyTrackingLibraries
• 67%ofVPNappsinclude3rd-partytrackinglibraries
16 PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
MalwarePresence• Scanner:VirusTotalaggregator• AV-rank: numberofAVtoolsreportingmalware• 38%ofVPNappscontainmalwarewith4%haveAV-rank≧ 5
17 PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
NetworkMeasurements
18 PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
Testbed
19 PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
Trafficmanipulations
• Testedmanuallyeachvantagepointreportedintheapp
• 18%ofappsdonotinformabouttheterminatingend-point
• 4%ofVPNappsintercepttrafficonlocalhost
• 16%usevantagepointshostedonresidentialnetworks(SpamhausPBL)
20
Forwardingmodels
1lt.su
PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
21 PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
USERSHAVENOCONTROL!
maxhane.comqudosteam.com
DNSandIPv6Leakages
22
• 18%ofappsdonotuseencryptedtunnels
• 84%ofVPNappsleakIPv6traffic
• 66%ofVPNappsleaksDNSqueries
Userscanbepotentiallysubjecttoin-pathmodification,profiling,redirection,andcensorship.
PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
AdblockingandJavaScriptInjection
• DOM-basedanalysis
• Top30Alexasites,referencewebsiteandsevene-commercesites
23 PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
TLSInterception
• Analysedcertificatesfrom60websites/domains
• Appscompromiserootstore
24
Domain(port) Neopard DashVPN DashNet PacketCapture
amazon.com ❌ ✅ ❌ ✅
gmail.com ✅ ✅ ✅ ✅
orcart.facebook.com(8883) ✅ ❌ ❌ ✅
bankofamerica.com ✅ ✅ ✅ ✅
hsbc.com ❌ ✅ ❌ ✅
PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
Moredetails:
25 PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
“Andisn’titironic?”
26
• Douserscare?
• Manuallyanalysednegativereviews(4.5K)(1- and2-Stars)
• < 1%ofthenegativereviewsraisedprivacyandsecurityconcerns
PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
Summary
• 38%ofappshavemalwarepresence
• 67%ofappshaveatleastonethird-partytrackinglibrary
• 66%ofVPNappshaveDNSleakagesand84%haveIPv6Leakages
• 2VPNappsperformJS-injectionforads,tracking,andredirections
• 4VPNappsperformTLSinterception
27 PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
DeveloperFeedbackandReactions
28
“…Appflood[third-partylibrary]wasthebestchoicetomonetizetheapp”.
Now:ads- andtrackingfreeapp
ConfirmedJS-Injectionsfortrackingusersandshowingtheirownadvertisements
Now:statusquo
PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
29
November2015 October2016
PrivacyandSecurityRisksofAndroidVPNPermission-enabledApps|MuhammadIkram
“…wewillpromisetheseproblemsneveroccuragain.”
15AV-RANK 1AV-RANK
DeveloperFeedbackandReactions