LANShield: Analysing and Protecting Local Network Access on Mobile Devices

Angelos Beitis; Jeroen Robben; Alexander Matern; Zhen Lei; Yijia Li; Nian Xue; Yongle Chen; Vik Vanderlinden; Mathy Vanhoef

LANShield: Analysing and Protecting Local Network Access on Mobile Devices

Authors: Angelos Beitis (DistriNet, KU Leuven), Jeroen Robben (DistriNet, KU Leuven), Alexander Matern (Technical University of Darmstadt), Zhen Lei (Taiyuan University of Technology), Yijia Li (Taiyuan University of Technology), Nian Xue (Shandong University of Technology), Yongle Chen (Taiyuan University of Technology), Vik Vanderlinden (DistriNet, KU Leuven), Mathy Vanhoef (DistriNet, KU Leuven)

Volume: 2025
Issue: 4
Pages: 5–23
DOI: https://doi.org/10.56553/popets-2025-0116

Download PDF

Abstract: Home and workplace networks typically safeguard against external threats but allow internal devices to communicate freely with each other. As a result, malicious code on an internal device can collect sensitive data about other devices or directly attack them.

In this paper, we study mobile apps as potential sources of local network attacks, analyse their behaviour, design new defences, and evaluate and bypass existing mitigations. We first focus on Android, where apps with only the Internet permission can access all devices in the Local Area Network (LAN), meaning malicious apps can extract private LAN data, manipulate discovery protocols to obtain a Machine-in-the-Middle (MitM) position, and directly attack devices. To defend against such mobile-based attacks, we define an access model to securely differentiate between LAN and global Internet access. We implement this model on Android by creating LANShield: an app that refines Android's permission model, and can monitor and block LAN access of apps using a virtual network interface. We use LANShield to manually perform tests of 399 Android apps and find, among other observations, that 89 apps unexpectedly access the LAN, and 93 apps scan the network. In contrast to Android, iOS already separates the local and global Internet, but does so based on a proprietary LAN access model. We compare this access model to ours, and present multiple bypasses for an app to circumvent Apple's local network permission. Finally, we reported all our findings to affected vendors, and hope our work will motivate the adoption of stronger permission models on mobile devices.

Keywords: LANShield, mobile app permissions, app firewall, LAN security

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.