Group of Software Security In Progress

GoSSIP @ LoCCS.Shanghai Jiao Tong University

An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps

论文下载

Muhammad Ikram, Narseo Vallina-Rodriguez,Vern Paxson CSIRO, ICSI UCBerkeley, IMC’16

研究了Google Play上283个安卓VPN软件的隐私和安全问题,潜在的问题有植入第三方库、不安全的VPN隧道、IPv6 dns泄漏、流量修改等。

有以下几种情况: – 第三方库 user tracking – malware – 流量拦截模式 – 协议问题和信息泄露 – in-path proxis and traffic manipulation – TLS中间人

Android VPN Permission

  • 系统权限 BIND_VPN_SERVICE from 4.0
  • 虚拟网络接口:
    • 读 – 获得数据包
    • 写 – 注入数据包
    • 在同一时间只能有一个app占用该接口
  • Custom VPN permission
  • Mobile Device Management

Fig

Discovering VPN Apps on Goolge Play

  • AndroidManifest
  • APK downloader
  • Google Play search:
    • key word: “vpn”,“virtual private network”,“security”,“censorship,”anonymity or “privacy”
    • similar same developer

2015年九月,3个星期,283/1,488,811

Fig

  • premium app没有全部分析的原因是需要专门的IT和云支持
  • 写论文时(2016.8)发现283个app中的49已经不在Google Play中了(审查、用户投诉、开发者)

Fig

  • Qihoo360,Dr.Web Security Space,Trend Micro Mobile Security & Antivirus
  • NoRoot Firewall
  • Fast Secure payment

Static Analysis

  • apktool
  • 权限、track library、malware analysis、user awareness

Network Measurements

VPN Protocols and Traffic Leaks

Fig

unencrypted:TCP端口转发、HTTP

TLS interception

We instrumented our Android device with OpenSSL so that we can capture a copy of the SSL/TLS server certificate when accessing more than 60 popular services operating over SSL including HTTPS, SMTP over TLS, and POP3 over TLS.

  • 使用ICSI Certificate Notary来验证证书,基于Mozilla root store

  • 4个VPN app使用自签名的证书主动拦截TLS。 抓包/节省流量/加速/VPN

Fig

Fig

  • Packet Capture:
  • Neopard:隐私策略,“perform mobile usage reviews for market studies”
  • DashVPN DashNet:没有告知用户拦截TLS的用意

Limitations & Future Work

  • free apps from Google play
  • root权限的应用 需要更多的静态分析
  • 敏感权限的使用分析(读log、短信)
  • peer forwarding