nach oben

Erschienen in:

2018 | OriginalPaper | Buchkapitel

Oh-Pwn-VPN! Security Analysis of OpenVPN-Based Android Apps

verfasst von : Qi Zhang, Juanru Li, Yuanyuan Zhang, Hui Wang, Dawu Gu

Erschienen in: Cryptology and Network Security

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Free VPN apps have gained popularity among millions of users due to their convenience, and have been massively used for accessing blocked sites and preventing network eavesdropping. As a popular open-source VPN solution, OpenVPN is widely used by developers to implement their own VPN services. Despite the prevalence of OpenVPN, it can be insecurely customized and deployed by developers in lack of security guide.

In this paper, we perform a systematic security analysis of 84 popular OpenVPN-based apps on the Google Play store. We analyze the deployment security of OpenVPN on Android from the aspects of client profile, code implementation, and permission management. Our experiment reveals three types of misconfigurations that exist in several apps: insecure customized protocols, weak authentication at the client side, and incorrect file permissions on Android. The misconfigurations found by us can lead to some serious attacks, such as VPN traffic decryption and Man-in-the-Middle attacks, endangering millions of users’ privacy. Our work shows that, although OpenVPN protocol itself has withstood security analysis, insecure custom modification and configuration can still compromise the security of VPN apps. We then discuss potential causes of these misconfigurations and make practical recommendations for developers to securely deploy OpenVPN services.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel A Privacy-Preserving Device Tracking System Using a Low-Power Wide-Area Network

Nächstes Kapitel Two Cents for Strong Anonymity: The Anonymous Post-office Protocol

Android keystore system. https://developer.android.com/reference/java/security/KeyStore.html

Android vpn service documentation. https://developer.android.com/reference/android/net/VpnService.html

Bro network security monitor. https://www.bro.org

Detailed vpn comparison chart. https://thatoneprivacysite.net/vpn-comparison-chart/

Google play downloader via command line. https://github.com/matlink/gplaycli

Google-play-scraper. https://github.com/facundoolano/google-play-scraper

The heartbleed bug. http://heartbleed.com/

Ida pro. https://www.hex-rays.com/products/ida/

Nvpn antidpi. http://www.nvpn.net/. Accessed 21 July 2017

10.

Openvpn for android source code. https://github.com/schwabe/ics-openvpn

11.

Openvpn management interface. https://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html

12.

Openvpn manual page. https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

13.

Openvpn mitm protection. https://openvpn.net/index.php/open-source/documentation/howto.html#mitm

14.

Openvpn obfuscation patch. https://github.com/siren1117/openvpn-obfuscation-release/

15.

Openvpn patch from tunnelblick. https://github.com/Tunnelblick/Tunnelblick/tree/master/third_party/sources/openvpn/openvpn-2.4.3/patches

16.

Openvpn security overview. https://openvpn.net/index.php/open-source/documentation/security-overview.html

17.

Openvpn source code. https://github.com/OpenVPN/openvpn

18.

Openvpn traffic obfuscation guide. https://community.openvpn.net/openvpn/wiki/TrafficObfuscation

19.

Xorpatch in openvpn forum. https://forums.openvpn.net/viewtopic.php?f=15&t=12605&hilit=openvpn_xorpatch

20.

Xorpatch source code. https://github.com/clayface/openvpn_xorpatch

21.

Zpn antidpi. https://zpn.im/blog/total-anonymity-connectivity-antidpi. Accessed 21 July 2017

22.

Appelbaum, J., Ray, M., Koscher, K., Finder, I.: vpwns: virtual Pwned networks. In: 2nd USENIX Workshop on Free and Open Communications on the Internet. USENIX Association (2012)

23.

Bhargavan, K., Leurent, G.: On the practical (in-) security of 64-bit block ciphers: collision attacks on HTTP over TLS and OpenVPN. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 456–467. ACM (2016)

24.

Peter, G.: Linux’s answer to MS-PPTP. https://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt

25.

Ikram, M., Vallina-Rodriguez, N., Seneviratne, S., Kaafar, M.A., Paxson, V.: An analysis of the privacy and security risks of android VPN permission-enabled apps. In: Proceedings of the 2016 ACM on Internet Measurement Conference, pp. 349–364. ACM (2016)

26.

Perta, V.C., Barbera, M.V., Tyson, G., Haddadi, H., Mei, A.: A glance through the VPN looking glass: IPv6 leakage and DNS hijacking in commercial VPN clients. Proc. Priv. Enhanc. Technol. 2015(1), 77–91 (2015)CrossRef

27.

Quarkslab: Security assessment of openvpn. https://blog.quarkslab.com/security-assessment-of-openvpn.html. Accessed 21 July 2017

28.

Shao, Y., Ott, J., Jia, Y.J., Qian, Z., Mao, Z.M.: The misuse of android unix domain sockets and security implications. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 80–91. ACM (2016)

29.

White, K.: Most VPN services are terrible. https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa. Accessed 21 July 2017

Titel: Oh-Pwn-VPN! Security Analysis of OpenVPN-Based Android Apps
verfasst von: Qi Zhang
Juanru Li
Yuanyuan Zhang
Hui Wang
Dawu Gu
Verlag: Springer International Publishing
Buch: Cryptology and Network Security
Print ISBN: 978-3-030-02640-0

Electronic ISBN: 978-3-030-02641-7

Copyright-Jahr: 2018
DOI: https://doi.org/10.1007/978-3-030-02641-7_17

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"