Leaky Blinders: Information Leakage in Mobile VPNs

07 Sep 2023 - Katharina Kohls

“A VPN tunnels traffic through a TCP or UDP connection between the user’s system and a remote network, which allows access to services and devices in the remote network. Optional encryption through IPSec, TLS, or Wireguard provides an additional level of confidentiality.” What does this mean? Instead of directly connecting to the desired service, all traffic goes through the network of the VPN service. Additional encryption protects the content of the connection, and requests reach the destination through the VPN instead of coming directly from the user. This is convenient for accessing services within a network (for example in a company or a university), or for borrowing the whereabouts of the VPN service (instead of using your own).

Now why are we interested in VPNs for mobile traffic? And why is this relevant for the security of the connection? Because most often a VPN is designed to run on a computer but not on a phone. A computer isn’t optimized for mobility, it doesn’t have to prioritize battery usage so strictly. A mobile phone on the other side puts constant effort into preventing battery drain. This is only possible when prioritizing how many resources an application is assigned. Limiting resources means less computational power to perform additional encryption and constant tunneling of traffic, just like a VPN app would do. And because of these limitations (and other characteristics) in mobile phones we have to assume that there is a slight chance that some packets in a mobile VPN leak. Now comes the security part: Leakage is always a problem! Traffic that is supposed to be tunneled and encrypted must not be transmitted outside the tunnel. Especially when users rely on the added security of the VPN.

We investigate this assumption and look at Android VPN apps in different usage scenarios. The bad news is: “Our results indicate that in all combinations of devices, apps, and scenarios, a certain amount of traffic remains unprotected by the tunnel. In some cases, the combination of influencing factors leads to thousands of leaked packets.” However, it does make a difference which app you rely on: “Less reliable VPN apps lead to more downlink traffic, which indicates that incoming traffic is less likely to be protected by the tunnel.”

What can we conclude from these findings? You cannot fully rely on a mobile VPN app, there will be some amount of leakage in any situation. There are more reliable solutions that limit this leakage and, consequently, reduce the information that is shared unintentionally. We can also conclude that we have to learn a lot more about the technical environment of a mobile phone, or about the expectations of users when opting for the additional protection of a VPN app.

Source: [Link to orignal PDF]