Wayne Wang (University of Michigan), Aaron Ortwein (University of Michigan), Enrique Sobrados (University of New Mexico), Robert Stanley (University of Michigan), Piyush Kumar Sharma (University of Michigan, IIT Delhi), Afsah Anwar (University of New Mexico), Roya Ensafi (University of Michigan)

Mobile users increasingly rely on Virtual Private Networks (VPNs) to protect themselves from tracking, surveillance, and censorship. VPN apps operate from a privileged position by requiring interception of user traffic. While this safeguards end user traffic from malicious network intermediaries (e.g. surveilling ISPs), it leads to a critical "transfer of trust" from such network intermediaries to VPN providers. Yet, despite the sensitivity of this role, VPN apps, especially on mobile platforms, remain insufficiently audited.

In this work, we present MVPNalyzer, an extensible framework for systematically analyzing Android VPN apps. Designed to handle the unique challenges of the Android VPN ecosystem, MVPNalyzer enables detailed investigation of VPN applications’ behavior across the network layers. We apply our framework to 281 popular VPN apps from the Google Play Store and uncover fundamental and critical issues: 61 apps transmit unencrypted data, with 5 sending sensitive VPN configuration files in cleartext, allowing an attacker to hijack the VPN tunnel connection; 29 apps leak user traffic (including DNS) outside the tunnel; 169 apps fail to obfuscate the traffic to avoid trivial blocking; 76 apps transmit Advertising ID, the device-unique ID widely used for device and user tracking; and 107 apps fail to implement the best security practices in their VPN configuration files. Collectively, these apps have hundreds of millions of installs, highlighting the scale of users being impacted. Our findings reveal a troubling pattern of developer negligence, highlighting how poor enforcement, transparency, and maintenance practices continue to undermine even fundamental security guarantees.

View More Papers

Pruning the Tree: Rethinking RPKI Architecture from the Ground...

Haya Schulmann (Goethe-Universität Frankfurt and ATHENE German Research Center for Applied Cybersecurity), Niklas Vogel (Goethe-Universität Frankfurt and ATHENE German Research Center for Applied Cybersecurity)

Read More

On the Security Risks of Memory Adaptation and Augmentation...

Hocheol Nam (KAIST), Daehyun Lim (KAIST), Huancheng Zhou (Texas A&M University), Guofei Gu (Texas A&M University), Min Suk Kang (KAIST)

Read More

Chasing Shadows: Pitfalls in LLM Security Research

Jonathan Evertz (CISPA Helmholtz Center for Information Security), Niklas Risse (Max Planck Institute for Security and Privacy), Nicolai Neuer (Karlsruhe Institute of Technology), Andreas Müller (Ruhr University Bochum), Philipp Normann (TU Wien), Gaetano Sapia (Max Planck Institute for Security and Privacy), Srishti Gupta (Sapienza University of Rome), David Pape (CISPA Helmholtz Center for Information Security),…

Read More