MVPNalyzer: An Investigative Framework for Auditing the Security & Privacy of Mobile VPNs

corporations weaponize metadata for mass surveillance and behavioral manipulation with frightening precision [5]- [7] . As a result, users live in constant paranoia, knowing their digital footprints are being harvested, analyzed, and exploited mostly without consent [8], [9] . Over time, Virtual Private Networks (VPNs), now fueling a growing multi-billion dollar industry [10], have found their way into everyday users' toolboxes as a crucial defense against such threats. For millions of users, they represent a simple fix to a complex security and privacy problem-recent statistics demonstrate that 82% VPN users believe that VPNs keep them anonymous [11] . However, this comes at a cost: the VPN app sits in a privileged position, viewing, intercepting, and handling all user traffic. This underscores the need for rigorous evaluation of VPN apps to ensure they uphold users' trust. Previous work has demonstrated that VPNs have caused numerous security and privacy issues [12]- [18] . For instance, studies have demonstrated that some VPN apps turn end-user devices into a residential proxy network and monetize them on residential IP markets [19] , [20] . However, most existing studies either perform limited analysis of a specific weakness (detectability, routing security, etc.) [15]-[17] or focus on desktop platforms [18] , leaving a gap for systematic evaluation of the security and privacy issues of mobile VPN apps. In this work, we develop MVPNalyzer, a systematic framework for analyzing Android VPN apps. MVPNalyzer is designed to be modular and extensible, supporting the periodic addition of new analyses and tests as privacy and security threats evolve over time. At a high level, the framework consists of three main modules-collection, processing, and analysis-and is structured to easily incorporate new streams of data and analysis. Developing such a framework comes with numerous difficulties where performing certain analyses, while trivial on desktop apps, become much more challenging in the mobile ecosystem. For instance, Android provides complex routing table handling as part of their VpnService API, where app traffic can be routed not just based on the destination IP address and firewall marks, but also based on app IDs, making it challenging to trace the VPN apps' behavior [21] .