Abstract
Free VPN apps have gained popularity among millions of users due to their convenience, and have been massively used for accessing blocked sites and preventing network eavesdropping. As a popular open-source VPN solution, OpenVPN is widely used by developers to implement their own VPN services. Despite the prevalence of OpenVPN, it can be insecurely customized and deployed by developers in lack of security guide.
In this paper, we perform a systematic security analysis of 84 popular OpenVPN-based apps on the Google Play store. We analyze the deployment security of OpenVPN on Android from the aspects of client profile, code implementation, and permission management. Our experiment reveals three types of misconfigurations that exist in several apps: insecure customized protocols, weak authentication at the client side, and incorrect file permissions on Android. The misconfigurations found by us can lead to some serious attacks, such as VPN traffic decryption and Man-in-the-Middle attacks, endangering millions of users’ privacy. Our work shows that, although OpenVPN protocol itself has withstood security analysis, insecure custom modification and configuration can still compromise the security of VPN apps. We then discuss potential causes of these misconfigurations and make practical recommendations for developers to securely deploy OpenVPN services.
This work was partially supported by the Key Program of National Natural Science Foundation of China (Grants No. U1636217), the Major Project of the National Key Research Project (Grants No. 2016YFB0801200), and the Technology Project of Shanghai Science and Technology Commission under Grants No. 15511103002.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Android keystore system. https://developer.android.com/reference/java/security/KeyStore.html
Android vpn service documentation. https://developer.android.com/reference/android/net/VpnService.html
Bro network security monitor. https://www.bro.org
Detailed vpn comparison chart. https://thatoneprivacysite.net/vpn-comparison-chart/
Google play downloader via command line. https://github.com/matlink/gplaycli
Google-play-scraper. https://github.com/facundoolano/google-play-scraper
The heartbleed bug. http://heartbleed.com/
Nvpn antidpi. http://www.nvpn.net/. Accessed 21 July 2017
Openvpn for android source code. https://github.com/schwabe/ics-openvpn
Openvpn management interface. https://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html
Openvpn manual page. https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Openvpn mitm protection. https://openvpn.net/index.php/open-source/documentation/howto.html#mitm
Openvpn obfuscation patch. https://github.com/siren1117/openvpn-obfuscation-release/
Openvpn patch from tunnelblick. https://github.com/Tunnelblick/Tunnelblick/tree/master/third_party/sources/openvpn/openvpn-2.4.3/patches
Openvpn security overview. https://openvpn.net/index.php/open-source/documentation/security-overview.html
Openvpn source code. https://github.com/OpenVPN/openvpn
Openvpn traffic obfuscation guide. https://community.openvpn.net/openvpn/wiki/TrafficObfuscation
Xorpatch in openvpn forum. https://forums.openvpn.net/viewtopic.php?f=15&t=12605&hilit=openvpn_xorpatch
Xorpatch source code. https://github.com/clayface/openvpn_xorpatch
Zpn antidpi. https://zpn.im/blog/total-anonymity-connectivity-antidpi. Accessed 21 July 2017
Appelbaum, J., Ray, M., Koscher, K., Finder, I.: vpwns: virtual Pwned networks. In: 2nd USENIX Workshop on Free and Open Communications on the Internet. USENIX Association (2012)
Bhargavan, K., Leurent, G.: On the practical (in-) security of 64-bit block ciphers: collision attacks on HTTP over TLS and OpenVPN. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 456–467. ACM (2016)
Peter, G.: Linux’s answer to MS-PPTP. https://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt
Ikram, M., Vallina-Rodriguez, N., Seneviratne, S., Kaafar, M.A., Paxson, V.: An analysis of the privacy and security risks of android VPN permission-enabled apps. In: Proceedings of the 2016 ACM on Internet Measurement Conference, pp. 349–364. ACM (2016)
Perta, V.C., Barbera, M.V., Tyson, G., Haddadi, H., Mei, A.: A glance through the VPN looking glass: IPv6 leakage and DNS hijacking in commercial VPN clients. Proc. Priv. Enhanc. Technol. 2015(1), 77–91 (2015)
Quarkslab: Security assessment of openvpn. https://blog.quarkslab.com/security-assessment-of-openvpn.html. Accessed 21 July 2017
Shao, Y., Ott, J., Jia, Y.J., Qian, Z., Mao, Z.M.: The misuse of android unix domain sockets and security implications. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 80–91. ACM (2016)
White, K.: Most VPN services are terrible. https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa. Accessed 21 July 2017
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Zhang, Q., Li, J., Zhang, Y., Wang, H., Gu, D. (2018). Oh-Pwn-VPN! Security Analysis of OpenVPN-Based Android Apps. In: Capkun, S., Chow, S. (eds) Cryptology and Network Security. CANS 2017. Lecture Notes in Computer Science(), vol 11261. Springer, Cham. https://doi.org/10.1007/978-3-030-02641-7_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-02641-7_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-02640-0
Online ISBN: 978-3-030-02641-7
eBook Packages: Computer ScienceComputer Science (R0)