Professional Documents
Culture Documents
Un Analisis de Privacidad y Seguridad Acerca Android VPN Permission-Enabled Apps
Un Analisis de Privacidad y Seguridad Acerca Android VPN Permission-Enabled Apps
349
remains opaque for the end-user. 18% of the apps do not Vendor Custom Permission
mention the entity hosting the terminating VPN server. Cisco com.cisco.anyconnect.vpn.android.MODIFY_VPN
Our network measurements also suggest that 16% of the Juniper com.juniper.permission.JUNIPER_VPN_ACCESS
analyzed apps may forward traffic through other partici- Samsung android.permission.sec.MDM_VPN
pating users in a peer-forwarding fashion rather than us- KNOX android.permission.sec.MDM_ENTERPRISE_VPN
ing machines hosted in the cloud. This forwarding model Table 1: Custom VPN permissions for MDM apps.
raises a number of trust, security and privacy concerns for
participating users. Finally, 4% of the analyzed VPN apps
The BIND_VPN_SERVICE permission is a powerful
use the VPN permission to implement localhost proxies
Android feature that app developers can misuse or abuse. It
to intercept and inspect user traffic locally, primarily for
allows the requesting app to intercept, manipulate and for-
antivirus and traffic filtering purposes.
ward all user’s traffic to a remote proxy or VPN server of
• (Lack of) Encryption and traffic leaks: 18% of the their choice or to implement proxies in localhost [97].
VPN apps implement tunneling protocols without encryp- Android’s VPN API exposes a virtual network interface
tion despite promising online anonymity and security to to the requesting app and — if the developer configures cor-
their users. In fact, approximately 84% and 66% of the rectly the routing tables — routes all the device’s traffic to
analyzed VPN apps do not tunnel IPv6 and DNS traf- it. Likewise, each write operation to the virtual interface
fic through the tunnel interface respectively due to lack injects a packet just like it was received from the external
of IPv6 support, misconfigurations or developer-induced interface. As for any other Android permission, app devel-
errors. Both the lack of strong encryption and traffic leak- opers must explicitly declare access to the VPN permission
ages can ease online tracking activities performed by in- in the app’s AndroidManifest file [2] but Android lim-
path middleboxes (e.g., commercial WiFi APs harvesting its the creation and ownership of the virtual interface to only
user’s data) and by surveillance agencies. one app at a given time.
Due to the exceptional security and privacy risks of al-
• In-path proxies and traffic manipulation: 16% of the lowing third-party apps to intercept all user’s traffic, An-
analyzed VPN apps deploy non-transparent proxies that droid generates two warnings to notify users whenever an
modify user’s HTTP traffic by injecting and removing app creates a virtual interface using the VPN permission: (i)
headers or performing techniques such as image transcod- a system dialog seeking users approval to create a virtual
ing. However, the artifacts implemented by VPN apps interface, and (ii) a system-generated notification that in-
go beyond the typical features present in HTTP proxies. forms users as long as the VPN interface remains active [60].
We identified two VPN apps actively injecting JavaScript However, average mobile users may not fully understand,
code on user’s traffic for advertisement and tracking pur- possibly due to the lack of technical background, the conse-
poses and one of them redirects e-commerce traffic to ex- quences of allowing a third-party app to read, block and/or
ternal advertising partners. modify their traffic.
• TLS interception: Four of the analyzed VPN apps com- Custom VPN permissions: Android’s native VPN support
promise users’ root-store and actively perform TLS inter- has enabled proprietary VPN solutions for enterprise clients
ception in the flight. Three of these apps claim providing such as Cisco AnyConnect [5] and Juniper Junos [28] tech-
traffic acceleration services and selectively intercept traf- nologies. Enterprise solutions, also known as Mobile De-
fic to specific online services like social networks, bank- vice Management solutions or MDM, implement their own
ing, e-commerce sites, email and IM services and analyt- tunneling protocols on top on Android’s VPN permission to
ics services. secure and simplify remote access to enterprise or private
networks. Samsung’s KNOX SDK [101] is a different incar-
Our results show that — in spite of the promises for pri- nation of proprietary MDM solutions. In that case, Samsung
vacy, security and anonymity given by the majority of VPN takes advantage from its position as an Android OS vendor
apps — millions of users may be unawarely subject to poor to completely replace Android’s VPN implementation at the
security guarantees and abusive practices inflicted by VPN firmware level with their own solution.
apps. However, this study has not answered several inter- Android’s permission model allows MDM providers to
esting research questions such as traffic discrimination [86] share their VPN technologies with other apps by defining
and the detection of side-channels to extract additional pri- custom permissions. These are listed in Table 1. The re-
vate information from user’s phones. questing app must declare the associated custom permission
on its manifest and the app providing the proprietary tech-
2. ANDROID’S VPN PERMISSION nology must be already installed on the device. In the case of
Google introduced native platform support for VPN Samsung’s KNOX-enabled devices, the app developer wish-
clients through the VPN Service base class and its as- ing to incorporate any KNOX feature in its app must first
sociated BIND_VPN_SERVICE permission in Android enroll on Samsung’s KNOX program and then request ac-
version 4.0 [60]. For simplicity, we will reference the cess to the proprietary SDK [29, 45]. As a result, Android
BIND_VPN_SERVICE permission as the “VPN permis- VPN apps without KNOX support may operate incorrectly
sion”. on many Samsung devices. The security guarantees that ap-
350
ply for the official VPN permission also apply for custom App pricing model
# of apps # of apps
VPN permissions as the MDM solution is responsible to re- (N = 283) analyzed in § 5
quest Android’s BIND_VPN_SERVICE permission. Free VPN apps with Free Services 130 130
Free VPN apps with Premium Services 153 20
3. DISCOVERING VPN APPS ON Table 2: Number of VPN apps identified with our detection
GOOGLE PLAY method.
This section describes our method for identifying and 300
Cummulative # of Apps
Free VPN Apps
characterizing Android VPN-enabled apps on Google Play. Premium VPN Apps
200 All VPN Apps
3.1 Detection Method
Identifying VPN-enabled apps on Google Play is not a 100
trivial task. The list of permissions available on a given app’s
Google Play profile does not necessarily contain the use of 0
9 0 0 1 1 2 2 3 3 4 4 5 5
Nov‘0 May‘1 Nov‘1 May‘1 Nov‘1 May‘1 Nov‘1 May‘1 Nov‘1 May‘1 Nov‘1 May‘1 Nov‘1
the VPN permission by the app.
App developers can request the Android VPN permissions Figure 1: Evolution of VPN-enabled apps’ availability on
in their app AndroidManifest file in two different ways: Google Play.
they can request the VPN permission within the scope of the
whole app or restrict its use to a specific activity or service1 published by the same developer. In total, this method has
using the <activity> and <service> tags respectively. This allowed us to survey 1,488,811 apps during a three week pe-
subtle difference has an impact on any method aiming to de- riod in September 2015.
tect VPN-enabled apps: when a developer declares the per- Our method has allowed us to identify 283 free
mission within the <service> tag, the VPN permission does Android apps requesting the VPN permission in their
not show up in the list of Android permissions available on AndroidManifest files. 153 of free VPN apps require
Google Play. Consequently, in order to correctly identify the user to perform in-app purchases in order to use their
VPN-enabled apps at scale — either those using Android’s online VPN services. We refer to such apps as “premium
official permission or any of the custom VPN permissions VPN apps” and they typically offer weekly, monthly, quar-
listed in Table 1 —, we must crawl Google Play to down- terly and yearly subscriptions. In the case of paid apps, we
load each app’s executable and then decompile it to inspect relied on information available on the app description as sig-
their AndroidManifest file in detail. nals to identify potential paid VPN apps. This is the result of
We rely on multiple tools to fetch each app’s metadata our inability to pay the fee for downloading the executables
(e.g., app description, installs, developer, user reviews and of each paid app listed on Google Play. This approach has
app rating) and to download their executables. For free apps, allowed us to find 10 potential VPN paid apps. However, af-
we use Google Play Unofficial Python API [21] whereas for ter paying their fee to download their executables, only one
paid apps, we use Raccoon APK Downloader to obtain the of them actually requested the VPN permission. Therefore,
binaries after paying their required fee [43]. Finally, after we decided to exclude paid VPN apps from this study.
having downloaded each app’s executable, we use ApkTool2 Our dynamic network analysis (presented in Section 5)
to decompile, extract and analyze each app’s source code covers the 130 free apps and 20 premium VPN apps. Un-
and their AndroidManifest file. fortunately, we could not inspect the entirety of premium
To increase our app coverage and maximize the num- VPN apps as most of them are full MDM solutions which
ber of detected VPN apps, we implemented a Google Play require dedicated IT and cloud support. Table 2 summarizes
crawler that uses two complementary seeds. First, we ob- the scope of our static and dynamic analysis.
tain the app ID (or package name) from the top 100 apps
for four Google Play categories likely to contain VPN and 3.2 The Rise of VPN Apps
MDM apps: tools, communication, business and productiv- This section studies the presence of VPN-enabled apps
ity. Second, we leverage Google Play’s search feature to find available for download on Google Play over time. Given
apps containing VPN-related keywords like “vpn”, “virtual that Google Play does not report the actual release date of
private network”, “security”, “censorship”, “anonymity” or the apps but their last update, we use the date of their first
“privacy” in their app description. Afterwards, our crawler comment as a proxy for their release date. For 9 apps with-
fetches each app’s metadata and executables. Our crawler out any user reviews as of this writing, we determine the
follows a breadth-first-search approach for any other app approximate release date by their last update.
considered as “similar” by Google Play and for other apps Figure 1 shows the steady increase of VPN apps’ listed
1 on Google Play since November 2011 (Android 4.0 release).
Android apps can be composed of multiple activities (i.e., app
Note that our analysis only considers apps listed on Google
components that run on the foreground on a single screen and re-
quire user interaction) and services (i.e., app components that per- Play as of September 2015 so it excludes possible VPN apps
form long-running operations in the background) [3]. Permission removed from Google Play. During the 2-year period that
requests can be limited to specific app components. spans between November 2011 and November 2013, the
2
https://ibotpeaches.github.io/apktool number of VPN apps increased ten-fold.
351
App Category % of Apps (N = 283) wall [34]) and even apps for securing online payments (e.g.,
VPN Clients 67 Fast Secure Payment [17]).
Enterprise 10
Traffic Optimizer 4
Communication Tools 3
4. STATIC ANALYSIS
Traffic filters 2 In this section, we analyze the source code for each VPN
Traffic logger 2 Android app using static analysis. In particular, we report
Antivirus 1
Tor clients 1 on applications requesting sensitive permission analysis, the
Other 10 presence of tracking libraries in app’s decompiled source
code and the presence of malware activity according to the
Table 3: Manual classification of VPN apps by their purpose.
online antivirus aggregator, VirusTotal3 .
352
80
60
% of Apps
All VPN Apps Free non−VPN Apps Free VPN Apps Premium VPN Apps
40
20
0
E
GE
N
S
KS
GS
OW
S
G
IVE
TE
GS
TS
LS
GS
MS
TS
MS
MS
MS
MIN
RY
SE
AG
TAT
NT
SE
ICE
NT
RK
RK
ON
RIT
TE
TIO
TIO
AR
SE
LIN
STA
TIA
AC
TAC
AS
EN
O
RA
TIN
_LO
TIN
_S
_S
_S
_S
CE
IND
AD
E
OU
ES
OU
MA
MA
RU
GU
R
T
PH
CA
CA
CU
_S
BIL
RV
NT
T_T
PL
EN
AD
IVE
ITE
ND
LIC
EN
TO
TO
IFI_
RE
ET
ET
ON
E_
OC
AD
_W
E
CC
CC
NE
OK
OK
LL_
EY
LO
_LO
SE
SE
CO
OM
INV
RE
UP
L_S
L_S
ED
SE
WR
K_
GE
_S
_S
CE
VIC
_C
_W
RE
PR
_K
RT
T_A
_A
HO
E_
BO
BO
_G
M_
CA
_
T_C
EC
_S
NE
ITE
CR
AD
RE
M_
AD
ITE
NA
NA
DE
LE
GE
D_
GE
RS
LE
AD
_P
Y_
Y_
MD
SS
GE
CH
_FI
RE
E_
WR
MD
RE
ER
ER
OO
AB
_A
WR
UN
E_
NA
OA
OR
OR
AD
AN
RE
CE
US
SS
EM
DIS
XT
XT
RIS
_B
RO
MA
_C
RE
CH
IST
IST
AC
CE
_E
_E
IVE
ST
SS
RP
KG
_H
_H
AC
ITE
AD
SY
CE
CE
TE
AC
AD
ITE
RE
WR
AC
EN
RE
L_B
RE
WR
KIL
Figure 2: Detailed comparison of Android permissions (x-axis) requested by VPN apps and the top-1,000 non-VPN apps.
VPN Apps Free # App ID Class Rating # Installs AV-rank
# Trackers Premium Free All non-VPN Apps
1 OkVpn [35] Prem. 4.2 1K 24
0 65% 28% 33% 19% 2 EasyVpn [15] Prem. 4.0 50K 22
1 13% 10% 8% 11% 3 SuperVPN [52] Free 3.9 10K 13
2 10% 10% 7% 15% 4 Betternet [19] Free 4.3 5M 13
3 12% 25% 13% 23% 5 CrossVpn [7] Free 4.2 100K 11
4 2% 8% 4% 16% 6 Archie VPN [4] Free 4.3 10K 10
≥5 5% 18% 8% 17% 7 HatVPN [22] Free 4.0 5K 10
8 sFly Network Booster [48] Prem. 4.3 1K 10
Table 4: Distribution of third party trackers embedded in 9 One Click VPN [36] Free 4.3 1M 6
VPN apps. 10 Fast Secure Payment [17] Prem. 4.1 5K 5
353
% of Apps 60
50
40
30 All VPN Apps Free non−VPN Apps Free VPN Apps Premium VPN Apps
20
10
0
ds ics up ics lurry opub r tapp sflyer ng mobi a y l
edi Tapjo xpane encen
t o st e d s p ix er er y
Jirb r tboo sourc nity3 nicAd ckyap tmetr pplifi track sorpa tercis
m
e A nalyt quare shlyt F me In ialm
ogl A Cra
M Sta Ap
p Un Mi T
Ch
a Iron
U so Ho hre
a A app Spon Cri
t
Go ogle S
i l l enn u per T b i l e
Go M S Mo
Figure 3: Top 25 third-party tracking libraries (x-axis) in VPN and non-VPN apps.
354
App Class Rating # Reviews # Installs AV-positive
EasyOvpn [14] Free 4.2 84,400 5M 3
VPN Free [58] Prem. 4.0 15,788 1M 3
Tigervpns [55] Free 4.1 36,617 1M 3
DNSet [11] Prem. 4.0 21,699 500K
CM Data Manager [6] Prem. 4.3 11,005 1M
Rocket VPN [44] Free 4.2 11,625 500K 3
Globus VPN [62] Free 4.3 14,273 500K
Spotflux VPN [50] Free 4.0 14,095 500K
CyberGhost [8] Free 4.0 13,689 500K 3
355
to improve spam detection so they can be considered as an
356
App Class # ASs Residential AS(%) Exogenous Traffic Protocol Free Apps Premium Apps
Open Gate [37] Free 54 70% OpenVPN 14% 20%
VPN Gate [59] Free 40 60% L2TP/IPSec 5% 0%
VyprVPN [63] Free 2 50% SOCKS 4% 0%
OneClickVPN [36] Free 57 53%
UDP:80 0% 10%
Tigervpns [55] Free 6 16% TLS (TCP:443) 15% 10%
StrongVPN [51] Prem. 59 14% Unidentified
DTLS (UDP:443) 13% 25%
Hola [24] Free 41 5% Other ports 30% 25%
HideMyAss [23] Prem. 134 7%
Private WiFi [41] Free 30 7% Unencrypted 19% 10%
VPNSecure [61] Prem. 44 2% Table 10: VPN tunneling protocols observed by our WiFi
Table 9: VPN apps with egress points in residential ISPs. AP for the analyzed VPN apps.
The last column indicates whether we have observed any
possible exogenous flows for such apps. user’s privacy and security. VPN app developers must ex-
plicitly forward IPv6 traffic and provide the DNS settings at
fortunately, limits our ability to make a clear distinction be- the time of creating the virtual interface programmatically.
tween VPN apps implementing cloud- and peer-forwarding, If not done carefully, DNS and IPv6 traffic may not be for-
or even hybrid approaches. warded through the virtual interface [95]. In particular, DNS
6% of the free VPN apps and 15% of the premium VPN leakage can reveal user’s networking activity and interests.
apps relay traffic through residential ISPs. However, due to The VPN API also allows app developers to overwrite user’s
the aforementioned challenges, instead of attempting to clas- DNS resolver with one of their choice.
sify each VPN app in these categories, we report in Table 9 All these artifacts can become a serious harm for users try-
the percentage of ASes for which we identified a residen- ing to circumvent surveillance or seeking online anonymity
tial egress point and the total number of ASes for each VPN by using VPN apps. To investigate those crucial aspects of
app for reference. Out of these apps, only Hola confirms its VPN apps, we run a script that performs crafted HTTP re-
community-powered nature (P2P) on its website. quests (both over IPv4 and IPv6) as well as DNS lookups
We inspect the packets captured by our WiFi AP to iden- to our dual-stack server under our control. In this section,
tify the presence of exogenous flows which may have been we analyze the pcaps captured by our in-path WiFi AP
forwarded through our device in a peer-to-peer fashion by to investigate the presence of tunnels without encryption in
the VPN engine for other participating users. While run- the wild (i.e., we consider a tunnel implementation as unen-
ning HideMyAss we observed traffic going to JP Morgan crypted if the payload of our custom HTTP requests is seen
and LinkedIn. None of these domains seem to be associ- in the clear by our WiFi AP) and to identify potential IPv6
ated with any of the third-party libraries used by HideMyAss and DNS leaks. We leverage the complementary features
app. Unfortunately, we cannot entirely confirm the origin of provided by a pcap parser [40] and Bro’s comprehensive
these flows to assess whether or not they are endogenous protocol analyzers (which provide support to identify some
to the app as our VPN session may have not lasted long tunneling technologies) [94] to inspect in detail the traffic
enough13 to capture traffic from other participating users. collected for each app.
In the case of Tigervpns, we also identified flows to do- VPN Tunnel Implementations. Table 10 shows the VPN
mains that no longer exist (e.g., for maxhane.com and tunneling protocols that we identified in the pcap traces gath-
qudosteam.com, DNS lookup returned NXDOMAIN and ered by our dual-stack WiFi AP. As mentioned earlier, we
SERFAIL, respectively.). rely on Bro’s suite of protocol parsers to identify the ac-
Nevertheless, the mere possibility of VPN apps following tual protocol used by each VPN apps. Unfortunately, Bro
a peer forwarding model raises up some intriguing questions only provides full support for OpenVPN, L2TP/IPSec and
about their operational transparency and the security guaran- SOCKS tunnels. For the remaining cases, we could not iden-
tees when forwarding traffic through (or on behalf of) other tify their application-layer protocol. Instead, we report the
participating devices, not necessarily trustworthy. transport-layer protocol and the destination port in use. Iden-
tifying the actual protocol would have required us to decrypt
5.2 VPN Protocols and Traffic Leaks the channel to inspect the payload.
Ideally, the traffic forwarded through the VPN tunnel Table 10 reports the different tunneling protocols that our
must be opaque to an in-path observer (e.g., Internet service method allowed us to identify. We observe that OpenVPN
provider, commercial WiFi APs and surveillance agencies). is the most popular tunneling technology both for free and
However, there is a wide range of tunneling protocols, each premium apps (14% and 20% respectively). However, many
with different security guarantees, that can be used by app VPN apps also use some tunneling technology over TLS and
developers to forward traffic out of the device: from secure DTLS [99]. Of particular concern are the 19% and 10% of
IPSec tunnels to basic TCP tunnels without any encryption. free and premium apps using basic TCP tunnels (also known
In addition to insecure tunneling protocols, developer- as “port forwarders”) and insecure HTTP tunnels [75]. As
induced misconfigurations and errors may also undermine our WiFi AP, any in-path middlebox could inspect the pay-
load for those apps in the clear. Therefore, the VPN apps us-
13
For each end-point, a session lasts 180 seconds. ing tunneling protocols without encryption are not protect-
357
ing their user-base from online surveillance and WiFi APs 100
harvesting user’s data.
% of Apps
75
App Category free premium
IPv6 and DNS leaks. We observe that 84% of the analyzed 50
VPN apps do not route IPv6 traffic through the VPN tun- 25
nel. Moreover, 66% of the VPN apps do not forward DNS
0
traffic through the VPN tunnel so any in-path observer can
21 22 25 80 110 135 139 143 161 443 445 465 585 587 993 995 194 723 060 881 001
monitor the DNS networking activity of the user. IPv6 and TCP Port
1 1 5 6 9
358
Website Input Point Partner Network (click event) Referral
alibaba.com anchorfree.us/rdr.php http://www.dpbolvw.net/click-7772790-12173149-1427959067000 NA
ebay.com anchorfree.us/rdr.php http://api.viglink.com/api/click?key=4372c7dabb08e4e38d97c4793cf6edb3 anchorfree.us/contentdiscovery2
Table 11: HotspotShield redirects user traffic to alibaba.com and ebay.com through its partner networks Conversant
Media and Viglink respectively. In the case of target.com, bestbuy.com, overstock.com, newegg.com and
macys.com we observed re-directions to Conversant Media.
(14% of VPN apps), and image transcoding (4% of VPN (or Conversant Media, an online advertising company16 ).
apps). Table 11 contains two samples of such requests. Our tests
also identified a second partner: Viglink17 . According
Ad-Blocking and Tracker-Blocking. Two of the analyzed
to AnchorFree’s website, the app provides “shielded
VPN apps actively block ads and analytics traffic by default
connections, security, privacy enhancement for individ-
on our tested websites: Secure Wireless and F-Secure Free-
uals and small businesses” and an “ad-free browsing”
dome VPN. The apps did not explicitly mention ad-blocking
environment [25].
feature in the Google Play store listings14 . An analysis of
the decompiled source code, using ApkTool, revealed that F- 5.4 TLS Interception
Secure Freedome VPN app blocks any traffic coming from
a pre-defined list of domains associated with web and mo- VPN apps are in a privileged position to perform TLS in-
bile tracking [16] including Google Ads, DoubleClick, and terception [107]. They can compromise the local root cer-
other popular tagging/analytics services such as Google Tag tificate store of the device by injecting their own self-signed
and comScore. However, blacklist-based ad blocking may certificates using Android’s KeyChain API [66]. Once a cer-
affect the functionality of the Webpages and impairs user tificate is installed on the device, the app can intercept the
experience [82, 93]. Specifically, F-Secure Freedome VPN TLS session establishment and generate “legit” certificates
blocks JavaScript code associated with nytimes.com’s — verifiable by the self-signed root certificate injected on
event “TaggingServices” which, as a result, prevents user the trusted certificate root store — on the fly [107]. To limit
access and interaction with embedded relevant video con- potential new venues for abuse, Android requires user’s con-
tent [82]. sent to install root certificates and it shows an additional
system notification that informs the user that a third-party
JavaScript Injection. We identified two free VPN apps can monitor their secure traffic. Only tech-savvy users may
(VPN Services HotspotShield [26] by AnchorFree and WiFi be able to fully understand the security implications of in-
Protector VPN [64]) actively injecting JavaScript codes us- stalling a root certificate.
ing iframes for advertising and tracking purposes. Both We instrumented our Android device with OpenSSL so
apps claim to safeguard user privacy and to provide security that we can capture a copy of the SSL/TLS server certifi-
and anonymization (cf Section 3.3). However, in the case cate when accessing more than 60 popular services operat-
of AnchorFree, they also provide advertising services [25]. ing over SSL including HTTPS, SMTP over TLS, and POP3
Our static analysis of both apps’ source code revealed that over TLS. The services reached in our test include diverse
the actively use more than 5 different third-party tracking and popular services like Google, Gmail, Facebook, Twit-
libraries. The developer team behind WiFi Protector VPN ter, Skype, banking services, CDNs, analytics services and
corroborated our observations and stated that the free version e-commerce sites, many of which are associated with mobile
of its app injects JavaScript code for tracking and displaying apps implementing security countermeasures such as certifi-
their own ads to the users. cate pinning [77, 46].
Traffic Redirection. AnchorFree’s VPN app Hotspot- We validated each server certificate against the ICSI Cer-
Shield performs redirection of e-commerce traffic to tificate Notary to identify possible cases of TLS interception:
partnering domains. When a client connects through 3% of the TLS sessions provided certificates for which the
the VPN to access specific web domains15 , the app ICSI notary could not establish a valid chain to a root cer-
leverages a proxy that intercepts and redirects the HTTP tificate from the Mozilla root store. By inspecting manually
requests to partner websites with the following syntax: each certificate, we identify 4 free VPN apps (developed by
http://anchorfree.us/rdr.php?q=http://www.dpbolvw.net/ 3 different app developers) that actively intercept TLS traffic
click-7772790-12173149-1427959067000. As a re- by issuing self-signed certificates as shown in Table 12. Two
sult, user’s traffic is relayed through two organiza- of the apps implementing TLS interception, DashVPN and
tions before reaching alibaba.com: AnchorFree and DashNet, are implemented by the company ActMobile
dpbolvw.net, a domain owned by valueclick.com A detailed inspection of the domains for which we
recorded self-signed certificates, revealed that only the app
14
Contrary to Google Play listings, F-Secure Freedome VPN Packet Capture performs TLS interception indiscriminately
mentioned its ad-blocking feature on its webiste, https://www.f- for all domains even if the apps perform cert pinning. The
secure.com/. other apps, — Neopard, DashVPN and DashNet all of which
15
During our experiments redirection happened exclusively
16
for websites categorized as e-commerce sites such as http://www.conversantmedia.com
17
alibaba.com. http://www.viglink.com
359
VPN app CA User-warning # Installs order to expose TLS traffic to its users. Likewise, Neopard,
Packet Capture [39] Packet Capture GUI 100K a web acceleration app, also notifies users about the purpose
DashVPN [10] ActMobile 100K of performing TLS interception in order to optimize traffic.
DashNet [9] ActMobile 10K Their privacy policy (April 2016) [32] informs users about
Exalinks Neopard [31] Exalinks Root Privacy Policy 10K
TLS interception and lists “perform mobile usage reviews
Table 12: VPN apps performing TLS interception, the CA for market studies” as one of the purposed of their data col-
signing the forged certificates and if the apps explicitly in- lection process. In the case of DashVPN and DashNet, none
form the user about TLS interception practices in their GUI of them inform users about the purpose of performing TLS
or in their privacy policy. interception at all.
claim to provide traffic acceleration — target specific ser- Summary and takeaways.
vices as reported in Table 13, more inclined towards email Our analysis of VPN apps at the network level has re-
services, social networks search engines and IM. This be- vealed that the majority of VPN apps are not transparent
havior may be a consequence of the nature of the apps and enough about how they handle user’s traffic. Despite the
the intent of the online services that they aim to optimize. promises for security enhancement and online anonymity,
VPN apps may forward user’s traffic through other partici-
Domain (PORT) Neopard DashVPN DashNet
Packet pating nodes following a peer (e.g., Hola) thus opening in-
Capture teresting questions about the trustworthiness of the egress
google-analytics.com points and the security guarantees for users forwarding traf-
mail.google.com fic for others.
mail.yahoo.com Our analysis has also revealed an alarming 18% of VPN
maps.google.com apps that implement tunneling technologies without encryp-
orcart.facebook.com (8883) 8 8 tion as well as 84% and 66% of apps leaking IPv6 and DNS
play.google.com traffic. As a result, these apps do not protect user’s traffic
www.akamai.com 8 8
against in-path agents performing online surveillance or user
www.alcatel-lucent.com 8 8
tracking. We inspect app descriptions on Google Play store
www.amazon.com 8 8
www.avaya.com 8 8
and observe that 94% of the IPv6 and DNS leaking apps
www.bankofamerica.com 8 claim to provide privacy protection. Such traffic leaks may
www.chase.com 8 be associated with developer-induced errors, lack of support
www.cisco.com 8 8 or even misconfigurations.
www.ebay.com 8 8 Finally, we have also identified abusive practices in our
www.facebook.com corpus of VPN apps such as JavaScript injection for track-
www.fring.com 8 ing and advertising purposes, as well as e-commerce traffic
www.gmail.com redirection to affiliated partners and TLS interception. Only
www.google.co.uk one of the apps implementing these practices (i.e., Packet
www.google.com Capture performing TLS interception) actually inform the
www.hotwire.com 8 8 users about the presence of such artifacts.
www.hsbc.com 8 8
www.ibm.com 8 8 5.5 Developers’ responses
www.icsi.berkeley.edu 8
www.linkedin.com 8 8
We contacted and shared our findings with the developers
www.outlook.com 8 of each of the apps we observed as involved in any of the fol-
www.qq.com 8 8 lowing: JavaScript injection, traffic redirection, ad-blocking
www.seagate.com 8 8 and tracker-blocking, exogenous flow, peer-forwarding user
www.simple.com 8 8 traffic, and TLS interception. We also contacted app devel-
www.skype.com 8 opers of apps requesting sensitive permissions, apps that are
www.taobao.com 8 8 negatively reviewed by users, and apps with embedded third-
www.tripadvisor.com 8 8 party tracking libraries. We also contacted apps which our
www.twitter.com tests revealed as possibly containing malware in their APKs.
www.viber.com 8 Amongst the two apps (WiFi Protector and HotspotShield
www.yahoo.com VPN) that our tests identified as performing JavaScript injec-
www.youtube.com 8
tion, WiFi Protector confirmed our findings and stated that
Table 13: Intercepted domains per VPN app. The list only the free version of their app injects JavaScript code to track
prints the TCP port for those different than 443. users and to show their own ads. HotspotShield VPN, which
we identified as also performing traffic redirection, has not
We manually inspected the app’s GUI to check if the apps responded to our correspondence.
inform users about the purpose of performing TLS intercep- The developer behind F-Secure Freedome VPN, we found
tion and what TLS interception implies. Packet Capture sup- that it blocks third-party ads and trackers, confirmed our
ports TLS interception (as an opt-in feature in the app) in findings and elaborated on how they construct their black-
360
lists for third-party trackers- and ads-blocking. The devel- apps from alternative app stores. We also rely on a Google
oper did not respond yet to our inquiries about the crite- Play crawler to extract our corpus of VPN-enabled apps that
ria used to build the blacklists. We have not received any might restrict the app coverage of our study which may miss
response from Secure WiFi that our tests also identified as apps that intentionally (or inadvertently) hide their use of
performing ad-blocking. the VPN permission. Although our apps crawler aims to
We received responses from only three developers of the capture as many VPN-enabled apps as possible, we stress
apps that we observed implementing peer-forwarding of user that our goal is to provide an analysis of the security and
traffic. VyperVPN and VPNSecure confirmed that they have privacy issues of a representative sample of VPN-enabled
some of their end-points located in residential ISPs as they apps from the Google play store. Second, this paper does
may rely on third-party data-centers for hosting their ser- not consider Android apps requesting root access on rooted
vices. Hola’s developer confirmed our findings and explic- phones to intercept user traffic via native commands such as
itly mentioned Hola’s peer-forwarding mechanism. Contacts tcpdump or OpenVPN. Investigating apps falling in this cat-
from other apps detailed in Table 9 have not yet, as of the egory would require conducting a computational- and time-
time of writing of this paper, responded to our requests for expensive static analysis. Third, we do consider runtime
comments or feedback. analysis of third-party tracking libraries and all sensitive per-
Neopard confirmed that they whitelist the domains for missions of VPN apps. Determining what an app do with
which they can optimize traffic and asked for feedback about sensitive permissions such as READ_LOG, READ_SMS, and
how to increase their operational transparency and usability. SEND_SMS and what type of information will third-party
ActMobile, initially, asked for further information about the tracking libraries collect would require fine-grained system-
purpose of this study and who has commissioned and later and network-level trace and traffic analysis.
on, acknowledged our findings, confirmed that they disable Moreover, we identify apps implementing peer forward-
the default TLS-interception functionality in both of the apps ing from the set of VPN apps with public IP addresses la-
(DashVPN and Dashnet). They also reported that, in the beled as residential IPs by Spamhaus PBL. Given that VPN
new version of the apps, they ask for user consent, explic- services can deploy VPN servers in residential ISPs and
itly in the apps’ GUIs, to install and to enable the ActMo- Spamhaus classification is prone to error, our analysis of
bile’s certificates for TLS-interception and traffic accelera- peer forwarding may not be accurate. We consider it as a
tion, respectively. We have not received any response from limitation and one possible extension of the work in this pa-
the developer behind Packet Capture that our tests identified per would be to strengthen our analysis of peer forwarding
as performing TLS-interception. by (i) extending the tests duration to enable tracking of peers
Only one of the apps’ developers, explicitly discussed (running suspected VPN apps); and (ii) analyzing the traf-
in Section 4.1, responded to our findings and confirmed fic flows of an app simultaneously running on two or more
that tigerVPN requests sensitive READ_LOG permission to mobile phones to determine if they forward traffic for each
record and to use it for troubleshooting purposes. They other.
also confirmed that, in the connection log collected via Likewise, our method falls short to analyze the presence
READ_LOG permission, they collect users’ information such of session timeouts and apps’s ability to recover from a loss
as end-points’ IPs, wireless (mobile data connectivity (3G, of connectivity. These dynamics may cause user traffic to
4G, and LTE) or WiFi) connectivity, and error messages. be exposed in the clear to any in-path middlebox for a short
The developer behind Ip-shield VPN that we identified as period of time.
embedding less-popular tracking libraries such as Appflood This paper provides a first detailed analysis of VPN-
for targeted ads argued that the Appflood was the best choice enabled apps but it also leaves many open questions beyond
to monetize the app. The developer also revealed plans to the scope of our analysis. Aspects such as possible traffic
update ad-free version of Ip-shield VPN on Google Play. or device-location discrimination practices [86] or the use
The rest of the developers of the apps with possibly con- of VPN apps as honeypots to harvest personal information
taining malware (cf. Section 4.3), apps that are negatively have not been addressed in this study. In addition, reasons
reviewed by users (cf. Section 4.4), apps that are embed- behind inadequacy of app actual behavior and terms of use
ding third-party tracking libraries (cf. Section 4.2), and the or the the identification of side-channels for the observed
one with exogenous traffic flows (cf. Section 5.1) have not data-exfiltration have been left as pending questions.
yet, as of the time of writing of this paper, responded to our
findings.
7. RELATED WORK
Several studies highlighted the privacy risks associated
6. LIMITATIONS AND FUTURE with Android apps over-requesting Android permissions for
WORK third-party tracking, advertising and analytic services [105,
Our method to identify and characterize VPN apps on 103, 91, 73, 74] using techniques like static analysis [114,
Google Play presents several limitations, many of which are 69, 78, 79], taint analysis [76, 112], and OS modifica-
inherent to static and dynamic analysis [77]. The first lim- tions [83, 100, 105, 81]. Previous research also adapted
itation is app’s coverage: our study is limited to Android’s techniques for malware detection such as signature analy-
free Google Play apps and excludes paid apps, iOS apps and sis [71, 70, 88, 113] and anomaly detection [104, 102] to
361
the mobile context in order to identify potential malicious Acknowledgments
activity on mobile apps. This work was partially supported by the Data61/CSIRO and
Several research efforts leverage Android’s VPN permis- the National Science Foundation (NSF) under grant CNS-
sion to accurately characterize Android’s traffic and identify 1564329. Any opinions, findings, and conclusions or rec-
private data leakage inflicted by mobile apps [90, 97, 106]. ommendations expressed in this material are those of the au-
More related to studying VPN apps, the study conducted by thors or originators and do not necessarily reflect the views
Perta et al. [95] is perhaps the closest one to our analysis. of the Data61/CSIRO or of the NSF. The authors would like
The paper provides a manual analysis of 14 popular VPN to thank our shepherd, Ben Zhao, and the anonymous re-
services and includes a study of their their mobile clients viewers for constructive feedback on preparation of the final
identifying developer-induced bugs and mis-configurations version of this paper. We also thank Nick Kiourtis (Kryp-
that lead to IPv6 and DNS leaks. Our paper provides a sys- towire) and Angelos Stavrou (Kryptowire) for valuable help.
tematic and thorough security and privacy analysis of An-
droid mobile apps employing the VPN permission. The
study by Vallina-Rodriguez et al. characterized Android’s 9. REFERENCES
root certificate store using data provided by Netalyzr for An- [1] Alexa Top 500 Websites. http://www.alexa.com/topsites.
[2] Android Permissions. http://developer.android.com/guide/
droid tool [107]. The study revealed how VPN-enabled apps
topics/security/permissions.html.
could perform transparent TLS interception after compro-
[3] Application Fundamentals. http://developer.android.com/
mising the root certificate store. guide/components/fundamentals.html.
Finally, Appelbaum et al. identified security vulnerabili- [4] Archie VPN. https://play.google.com/store/apps/details?id=
ties on commercial and public online VPN services [67]. A com.lausny.archievpnfree.go.
survey conducted by Khattack et al. on VPN usage across [5] Cisco AnyConnect.
Pakistani Internet users reported that 57% of the partici- https://play.google.com/store/apps/details?id=
pants used SSL-based VPN software to access YouTube con- com.cisco.anyconnect.vpn.android.avf.
tent [87]. Our paper in turn, presents a method to systemat- [6] CM Data Manager - Speed Test.
ically identify and analyze security and privacy aspects of https://play.google.com/store/apps/details?id=
com.cmcm.flowmonitor.
VPN-enabled apps on Android-based app stores. The impli-
[7] CrossVpn. https://play.google.com/store/apps/details?id=
cations of our analysis span to other areas such as censorship com.goodyes.vpn.cn.
analysis and network measurements that leverage VPN ser- [8] Cyberghost - free vpn & proxy.
vices to penetrate different countries and ISPs. https://play.google.com/store/apps/details?id=
de.mobileconcepts.cyberghost.
[9] Dash Net Accelerated VPN .
https://play.google.com/store/apps/details?id=
8. CONCLUSIONS com.actmobile.dashnet.
Android app developers benefit from native support to im- [10] Dash VPN | Dash Office - Speed Test.
http://dashoffice.com/dash-vpn/.
plement VPN clients via the VPN permission to provide cen-
[11] DNSet.
sorship circumvention, support enterprise customers and en- https://play.google.com/store/apps/details?id=com.dnset.
hanced online security and privacy. However, despite the [12] DroidVPN - Android VPN. https:
fact that Android VPN-enabled apps are being installed by //play.google.com/store/apps/details?id=com.aed.droidvpn.
millions of mobile users worldwide, their operational trans- [13] Dr.Web Security Space. https:
parency and their possible impact on user’s privacy and se- //play.google.com/store/apps/details?id=com.drweb.pro.
curity remains “terra incognita” even for tech-savvy users. [14] EasyOvpn - Plugin for OpenVPN.
In this paper, we presented a number of static and dy- https://play.google.com/store/apps/details?id=
namic methods that allowed us to conduct in-depth analy- com.easyovpn.easyovpn.
sis of VPN-enabled apps on Google Play. We investigate [15] EasyVpn. https://play.google.com/store/apps/details?id=
yujia.easyvpn.
from the presence of tracking services and malware on VPN
[16] F-Secure Freedome Anti-Tracking Feature Explained.
app binaries to artifacts implemented by these apps at the https://community.f-secure.com/t5/F-Secure/F-Secure-
network level. Our comprehensive tests allowed us to iden- Freedome-Anti-Tracking/ta-p/52153.
tify instances of VPN apps embed third-party tracking ser- [17] Fast Secure Payment Service.
vices and implement abusive practices such as JavaScript- https://play.google.com/store/apps/details?id=
injection, ad-redirections and even TLS interception. com.lausny.ocvpnaio.allpay.
The ability of the BIND_VPN_SERVICE permission to [18] FlashVPN Free VPN Proxy.
break Android’s sandboxing and the naive perception that https://play.google.com/store/apps/details?id=
net.flashsoft.flashvpn.activity.
most users have about third-party VPN apps suggest that it
[19] Free VPN Proxy by Betternet.
is urging to re-consider Android’s VPN permission model to https://play.google.com/store/apps/details?id=
increase the control over VPN clients. Our analysis of the com.freevpnintouch.
user reviews and the ratings for VPN apps suggested that the [20] Good. Mobile Device Management (MDM).
vast majority of users remain unaware of such practices even https://www1.good.com/secure-mobility-solution/mobile-
when considering relatively popular apps. device-management.html.
362
[21] Google Play Unofficial Python API. [48] sFly Network Booster, Adblocker. https:
https://github.com/egirault/googleplay-api. //play.google.com/store/apps/details?id=com.cdnren.sfly.
[22] HatVPN. [49] Spamhaus PBL. http://www.spamhaus.org/pbl/.
https://play.google.com/store/apps/details?id=mobi.hatvpn. [50] Spotflux VPN.
[23] HideMyAss! Pro VPN for Android. https://play.google.com/store/apps/details?id=
https://play.google.com/store/apps/details?id= com.spotflux.android.
com.hidemyass.hidemyassprovpn. [51] StrongVPN OpenVPN Client. https:
[24] Hola Free VPN Proxy. //play.google.com/store/apps/details?id=com.strongvpn.
https://play.google.com/store/apps/details?id=org.hola. [52] SuperVPN. https://play.google.com/store/apps/details?id=
[25] Hotspot Shield Advertising. com.SuperVPN_Q0102_21.
http://www.anchorfree.com/advertise.php. [53] SurfEasy Secure Android VPN. https:
[26] Hotspot Shield Free VPN Proxy. //play.google.com/store/apps/details?id=com.surfeasy.
https://play.google.com/store/apps/details?id= [54] tigerVPN - Privacy Defender.
hotspotshield.android.vpn. https://play.google.com/store/apps/details?id=
[27] ip-shield VPN. https: com.tigeratwork.tigervpn.
//play.google.com/store/apps/details?id=com.ipshield.app. [55] Tigervpns Free VPN and Proxy.
[28] Junos Pulse. https://play.google.com/store/apps/details?id= https://play.google.com/store/apps/details?id=
net.juniper.junos.pulse.android&hl=en. com.tigervpns.android.
[29] Knox Standard SDK. [56] TorGuard VPN.
https://seap.samsung.com/sdk/knox-standard-android. https://play.google.com/store/apps/details?id=
[30] Mobile Security & Antivirus. net.torguard.openvpn.client.
https://play.google.com/store/apps/details?id= [57] VirusTotal. https://www.virustotal.com.
com.trendmicro.tmmspersonal. [58] VPN Free. https://play.google.com/store/apps/details?id=
[31] NEOPARD. com.couxin.GroxNetwork.
http://https://play.google.com/store/apps/details?id= [59] VPN Gate. https://play.google.com/store/apps/details?id=
com.exalinks.neopard/. com.lausny.vpngate.
[32] Neopard Privacy Policy. [60] VPN Service Documentation.
http://neopard-mobile.com/en/about/privacy/. http://developer.android.com/reference/android/net/
[33] NeoRouter VPN Mesh. VpnService.html.
https://play.google.com/store/apps/details?id= [61] VPNSecure OpenVPN VPN Proxy.
com.neorouter.androidmesh. https://play.google.com/store/apps/details?id=
[34] NoRoot Firewall. com.vpnsecure.pty.ltd.
https://play.google.com/store/apps/details?id= [62] VPN+TOR+Cloud VPN Globus Pro! https:
app.greyshirts.firewall. //play.google.com/store/apps/details?id=com.globus.vpn.
[35] OkVpn. [63] VyprVPN Free VPN for Privacy.
https://play.google.com/store/apps/details?id=yujia.okvpn. https://play.google.com/store/apps/details?id=
[36] One Click VPN. https: com.goldenfrog.vyprvpn.app.
//play.google.com/store/apps/details?id=com.lausny.ocvpn. [64] WiFi Protector VPN.
[37] Open Gate. https://play.google.com/store/apps/details?id= https://play.google.com/store/apps/details?id=
com.btzsoft.vpnclient. com.wifiprotector.android.
[38] Orbot: Proxy with Tor. [65] M. Allman. Comments on bufferbloat. SIGCOMM CCR,
https://play.google.com/store/apps/details?id= 2013.
org.torproject.android. [66] Android developer documentation. KeyChain.
[39] Packet Capture. https://developer.android.com/reference/android/security/
https://play.google.com/store/apps/details?id= KeyChain.html#createInstallIntent().
app.greyshirts.sslcapture. [67] J. Appelbaum, M. Ray, I. Finder, and K. Koscher. vpwns:
[40] pcap-parser (0.5.8). Virtual Pwned Networks. In USENIX FOCI, 2012.
https://pypi.python.org/pypi/pcap-parser/0.5.8. [68] D. Arp, M. Spreitzenbarth, H. Gascon, and K. Rieck.
[41] Private WiFi. Drebin: Effective and Explainable Detection of Android
https://play.google.com/store/apps/details?id= Malware in Your Pocket. In NDSS, 2014.
com.privatewifi.pwf.hybrid. [69] K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout:
[42] Qihoo 360. https://play.google.com/store/apps/details?id= Analyzing the Android Permission Specification. In ACM
com.qihoo360.mobilesafe. CCS, 2012.
[43] Raccon APK Downloader. [70] T. Bläsing, L. Batyuk, A.-D. Schmidt, S. A. Camtepe, and
http://www.onyxbits.de/raccoon. S. Albayrak. An Android Application Sandbox System for
[44] Rocket VPN - Internet Freedom. Suspicious Software Detection. In IEEE MALWARE, 2010.
https://play.google.com/store/apps/details?id= [71] A. Bose, X. Hu, K. G. Shin, and T. Park. Behavioral
com.liquidum.rocketvpn. Detection of Malware on Mobile Handsets. In ACM
[45] Samsung KNOX. Partnering with Samsung. MobiSys, 2008.
https://www.samsungknox.com/en/partners. [72] I. Castro, J. C. Cardona, S. Gorinsky, and P. Francois.
[46] Security with HTTPS and SSL. http: Remote Peering: More Peering Without Internet Flattening.
//developer.android.com/training/articles/security-ssl.html. In ACM CoNEXT, 2014.
[47] Selendroid: Selenium for Android. [73] T. Chen, I. Ullah, M. A. Kaafar, and R. Boreli. Information
http://www.selendroid.io.
363
Leakage Through Mobile Analytics Services. In ACM [94] V. Paxson. Bro: a System for Detecting Network Intruders
MobiSys, 2014. in Real-Time. Computer Networks, 1999.
[74] P. H. Chia, Y. Yamamoto, and N. Asokan. Is this App Safe?: [95] V. C. Perta, M. V. Barbera, G. Tyson, H. Haddadi, and
A Large Scale Study on Application Permissions and Risk A. Mei. A Glance through the VPN Looking Glass: IPv6
Signals. In ACM WWW, 2012. Leakage and DNS Hijacking in Commercial VPN Clients.
[75] D. Crawford. PPTP vs L2TP vs OpenVPN vs SSTP vs PETS, 2015.
IKEv2. https://www.bestvpn.com/blog/4147/pptp-vs-l2tp- [96] I. Poese, S. Uhlig, M. A. Kaafar, B. Donnet, and B. Gueye.
vs-openvpn-vs-sstp-vs-ikev2/. IP geolocation databases: Unreliable? ACM SIGCOMM
[76] W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, CCR, 2011.
P. McDaniel, and A. N. Sheth. TaintDroid: An Information [97] A. Razaghpanah, N. Vallina-Rodriguez, S. Sundaresan,
Flow Tracking System for Real-Time Privacy Monitoring C. Kreibich, P. Gill, M. Allman, and V. Paxson. Haystack:
on Smartphones. CACM, 2014. In Situ Mobile Traffic Analysis in User Space. arXiv
[77] S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, preprint arXiv:1510.01419, 2015.
B. Freisleben, and M. Smith. Why Eve and Mallory love [98] C. Reis, S. Gribble, T. Kohno, and N. Weaver. Detecting
Android: An analysis of Android SSL (in) security. In ACM In-Flight Page Changes with Web Tripwires. In NSDI,
CCS, 2012. 2008.
[78] A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. [99] Rescorla, Eric and Modadugu, Nagendra. Datagram
Android Permissions Demystified. In ACM CCS, 2011. Transport Layer Security (RFC4347).
[79] A. Gorla, I. Tavecchia, F. Gross, and A. Zeller. Checking https://tools.ietf.org/html/rfc4347.
App Behavior Against App Descriptions. In ICSE, 2014. [100] F. Roesner, T. Kohno, A. Moshchuk, B. Parno, H. J. Wang,
[80] C. Haschek. Where are free proxies free? and C. Cowan. User-Driven Access Control: Rethinking
https://blog.haschek.at/post/fd9bc. Permission Granting in Modern Operating Systems. In
[81] P. Hornyack, S. Han, J. Jung, S. Schechter, and IEEE S&P, 2012.
D. Wetherall. These Aren’t the Droids You’re Looking for: [101] Samsung KNOX. https://www.samsungknox.com/en.
Retrofitting Android to Protect Data from Imperious [102] A.-D. Schmidt, F. Peters, F. Lamour, C. Scheel, S. A.
Applications. In ACM CCS, 2011. Çamtepe, and Ş. Albayrak. Monitoring Smartphones for
[82] M. Ikram, H. J. Asghar, M. A. Kaafar, B. Krishnamurthy, Anomaly Detection. Mobile Networks and Applications,
and A. Mahanti. Towards Seamless Tracking-Free Web: 2009.
Improved Detection of Trackers via One-class Learning. In [103] S. Seneviratne, H. Kolamunna, and A. Seneviratne. A
PETs, 2017. Measurement Study of Tracking in Paid Mobile
[83] J. Jeon, K. K. Micinski, J. A. Vaughan, A. Fogel, N. Reddy, Applications. In ACM WiSec, 2015.
J. S. Foster, and T. Millstein. Dr. Android and Mr. Hide: [104] A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, and
Fine-grained Permissions in Android Applications. In ACM Y. Weiss. “Andromaly”: A Behavioral Malware Detection
SPSM, 2012. Framework for Android Devices. JIIS, 2012.
[84] A. Kantchelian, M. C. Tschantz, S. Afroz, B. Miller, [105] S. Shekhar, M. Dietz, and D. S. Wallach. AdSplit:
V. Shankar, R. Bachwani, A. D. Joseph, and J. D. Tygar. Separating Smartphone Advertising from Applications. In
Better Malware Ground Truth: Techniques for Weighting USENIX Sec, 2012.
Anti-Virus Vendor Labels. In AISec, 2015. [106] Y. Song and U. Hengartner. PrivacyGuard: A VPN-based
[85] A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and Platform to Detect Information Leakage on Android
E. Kirda. Cutting the Gordian Knot: A Look Under the Devices. In ACM SPSM, 2015.
Hood of Ransomware Attacks. In DIMVA, 2015. [107] N. Vallina-Rodriguez, J. Amann, C. Kreibich, N. Weaver,
[86] S. Khattak, D. Fifield, S. Afroz, M. Javed, S. Sundaresan, and V. Paxson. A Tangled Mass: The Android Root
V. Paxson, S. J. Murdoch, and D. McCoy. Do You See Certificate Stores. In ACM CoNEXT, 2014.
What I See? Differential Treatment of Anonymous Users. [108] N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, and
In NDSS, 2016. V. Paxson. Header Enrichment or ISP Enrichment?
[87] S. Khattak, M. Javed, S. A. Khayam, Z. A. Uzmi, and Emerging Privacy Threats in Mobile Networks. In ACM
V. Paxson. A Look at the Consequences of Internet HotMiddlebox, 2015.
Censorship Through an ISP Lens. In ACM IMC, 2014. [109] N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich,
[88] H. Kim, J. Smith, and K. G. Shin. Detecting Energy-Greedy N. Weaver, and V. Paxson. Beyond the Radio: Illuminating
Anomalies and Mobile Malware Variants. In ACM the Higher Layers of Mobile Networks. In ACM MobiSys,
MobiSys, 2008. 2015.
[89] C. Kreibich, N. Weaver, B. Nechaev, and V. Paxson. [110] N. Weaver, C. Kreibich, M. Dam, and V. Paxson. Here Be
Netalyzr: Illuminating the Edge Network. In ACM IMC, Web Proxies. In PAM, 2014.
2010. [111] N. Weaver, C. Kreibich, and V. Paxson. Redirecting Dns for
[90] A. Le, J. Varmarken, S. Langhoff, A. Shuba, M. Gjoka, and Ads and Profit, 2011.
A. Markopoulou. AntMonitor: A System for Monitoring [112] L.-K. Yan and H. Yin. DroidScope: Seamlessly
from Mobile Devices. In ACM (C2B(I)D), 2015. Reconstructing the OS and Dalvik Semantic Views for
[91] I. Leontiadis, C. Efstratiou, M. Picone, and C. Mascolo. Dynamic Android Malware Analysis. In USENIX Security,
Don’t Kill my Ads!: Balancing Privacy in an Ad-supported 2012.
Mobile Application Market. In ACM HotMobile, 2012. [113] Y. Zhou and X. Jiang. Dissecting Android Malware:
[92] MaxMind. https://www.maxmind.com. Characterization and Evolution. In IEEE S&P, 2012.
[93] R. Nithyanand, S. Khattak, M. Javed, N. Vallina-Rodriguez, [114] Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming
M. Falahrastegar, J. E. Powles, E. De Cristofaro, Information-stealing Smartphone Applications (on
H. Haddadi, and S. J. Murdoch. Ad-blocking and counter Android). In TRUST, 2011.
blocking: A slice of the arms race. FOCI, 2016.
364