Abstract
In the mobile domain, VPN applications promise an additional layer of protection for wireless connections. They offer users the choice to improve the security of their connections, however, we only have very limited knowledge about the technical implications that the shift from desktop to mobile applications brings. In this work, we conduct a quantitative analysis of selected Android VPNs and demonstrate how all of them leak packets during an active tunnel. We conduct these measurements for different phones and in varying use case scenarios, including the comparison of Wi-Fi and 4G connections, to get a better understanding of how the mobile setting influences the security of a VPN. While we observe leaks in all combinations, some settings particularly cause the transmission of thousands of unprotected packets. We further conduct a series of case studies to provide some first insights on the causes for the observed leakage.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
VpnService reference (2022). https://developer.android.com/reference/android/net/VpnService
Amarisoft callbox series (2022). https://www.amarisoft.com/products/test-measurements/amari-lte-callbox/
Donenfeld, J.A.: Wireguard: next generation kernel network tunnel. In: NDSS, pp. 1–12 (2017)
Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, New York, NY, USA, pp. 1388–1401. Association for Computing Machinery (2016). https://doi.org/10.1145/2976749.2978313
Fazal, L., Ganu, S., Kappes, M., Krishnakumar, A.S., Krishnan, P.: Tackling security vulnerabilities in VPN-based wireless deployments. In: 2004 IEEE International Conference on Communications (IEEE Cat. No. 04CH37577), vol. 1, pp. 100–104. IEEE (2004)
Frankel, S., Kent, K., Lewkowski, R., Orebaugh, A.D., Ritchey, R.W., Sharma, S.R.: Guide to IPsec VPNs (2005)
GlobalStats statcounter: Mobile operating system market share worldwide (2022). https://gs.statcounter.com/os-market-share/mobile/worldwide. Accessed 4 Feb 2022
Ikram, M., Vallina-Rodriguez, N., Seneviratne, S., Kaafar, M.A., Paxson, V.: An analysis of the privacy and security risks of android VPN permission-enabled apps. In: Proceedings of the 2016 Internet Measurement Conference, pp. 349–364 (2016)
Khan, M.T., DeBlasio, J., Voelker, G.M., Snoeren, A.C., Kanich, C., Vallina-Rodriguez, N.: An empirical analysis of the commercial VPN ecosystem. In: Proceedings of the Internet Measurement Conference 2018, pp. 443–456 (2018)
Khattak, S., Javed, M., Khayam, S.A., Uzmi, Z.A., Paxson, V.: A look at the consequences of internet censorship through an ISP lens. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 271–284 (2014)
Liu, B., et al.: Follow my recommendations: a personalized privacy assistant for mobile app permissions. In: Symposium on Usable Privacy and Security (2016)
Nobori, D., Shinjo, Y.: VPN gate: a volunteer-organized public VPN relay system with blocking resistance for bypassing government censorship firewalls. In: 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2014), pp. 229–241 (2014)
Perta, V.C., Barbera, M., Tyson, G., Haddadi, H., Mei, A., et al.: A glance through the VPN looking glass: IPv6 leakage and DNS hijacking in commercial VPN clients (2015)
How much RAM do you need in a smartphone? (2019). https://www.androidauthority.com/how-much-ram-do-you-need-in-smartphone-2019-944920/
Ramesh, R., Evdokimov, L., Xue, D., Ensafi, R.: VPNalyzer: systematic investigation of the VPN ecosystem. In: Network and Distributed Systems Security, NDSS 2022. ISOC (2022)
Rimmer, V., Preuveneers, D., Juarez, M., Van Goethem, T., Joosen, W.: Automated website fingerprinting through deep learning. In: Network and Distributed System Security Symposium, NDSS 2018, San Diego, CA, USA. The Internet Society, February 2018
Statista: Size of the virtual private network (VPN) market worldwide in 2019 and 2027 (2022). https://www.statista.com/statistics/542817/worldwide-virtual-private-network-market/
Sundara Raman, R., Shenoy, P., Kohls, K., Ensafi, R.: Censored planet: an internet-wide, longitudinal censorship observatory. In: ACM SIGSAC Conference on Computer and Communications Security (CCS) (2020)
Wired: The attack on global privacy leaves few places to turn (2017). https://www.wired.com/story/china-russia-vpn-crackdown/
Zhang, Q., Li, J., Zhang, Y., Wang, H., Gu, D.: Oh-Pwn-VPN! Security analysis of OpenVPN-based android apps. In: Capkun, S., Chow, S.S.M. (eds.) CANS 2017. LNCS, vol. 11261, pp. 373–389. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-02641-7_17
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Heijligenberg, T., Lkhaouni, O., Kohls, K. (2022). Leaky Blinders: Information Leakage in Mobile VPNs. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2022. Lecture Notes in Computer Science, vol 13285. Springer, Cham. https://doi.org/10.1007/978-3-031-16815-4_26
Download citation
DOI: https://doi.org/10.1007/978-3-031-16815-4_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-16814-7
Online ISBN: 978-3-031-16815-4
eBook Packages: Computer ScienceComputer Science (R0)