VPN and network extension compliance — platform APIs only, no tunnel data collection

ab-000456 · app-store-policy-compliance.regulated-industries.vpn-compliance

Severity: lowactive

Why it matters

Apple guideline 5.4 and Google Play's VPN Service policy require that VPN apps use platform NetworkExtension/VpnService APIs exclusively, with no private API usage — and prohibit collecting user network traffic payloads for any purpose. A VPN that logs DNS queries or packet data to an analytics server violates GDPR Article 5 (data minimization) and CWE-311 (Missing Encryption of Sensitive Data) simultaneously. The business risk is heightened: Apple requires advance entitlement approval for Network Extension, so an app submitted without that approval will be rejected before reviewers even open it.

Severity rationale

Low because VPN apps in compliance are straightforward to approve, and the required entitlements are obtainable through the standard developer portal — the severity reflects that violations are uncommon when the developer is following platform documentation.

Remediation

Verify that all VPN functionality is implemented exclusively via NEVPNManager or NETunnelProviderManager (iOS) or VpnService (Android). Check ios/[AppName]/[AppName].entitlements for the required key:

<!-- ios/MyApp/MyApp.entitlements -->
<key>com.apple.developer.networking.vpn.api</key>
<array>
  <string>allow-vpn</string>
</array>

Remove any code that reads or transmits packet payload data — connection metadata (byte counts, duration, timestamps) is permitted; packet.data contents are not. Apply for the Network Extensions entitlement through the Apple Developer portal before submission. Update the privacy policy to explicitly describe what network data the VPN collects and does not collect — reviewers check this.

Detection

ID: vpn-compliance
Severity: low
What to look for: Count all relevant instances and enumerate each. If VPN or network extension signals are detected, examine: (1) Platform API usage — Is the VPN implemented using the platform's native NetworkExtension framework (iOS NEVPNManager, NETunnelProviderManager) or Android's VPN service (VpnService)? Or does it use a third-party library that bypasses platform APIs? Apple requires VPN apps to use the NetworkExtension framework. (2) Traffic data collection prohibition — Trace the VPN tunnel implementation. Does the app log, analyze, or transmit user network traffic payloads to any server? Look for: packet.data, tunnel.readPackets, DNS query logging sent to a remote server, network request URL logging beyond connection metadata. Apple and Google both prohibit VPNs that collect user traffic for advertising, profiling, or analytics. (3) Entitlements — Check ios/[AppName]/[AppName].entitlements for com.apple.developer.networking.vpn.api or com.apple.developer.networking.network-extension. These entitlements must be declared and Apple must approve the app for VPN functionality — it cannot be enabled silently. (4) Ad injection prohibition — Does the VPN inject advertisements into HTTP traffic? Search for any ad network SDK references combined with packet modification logic. (5) Privacy policy disclosure — Does the app have a privacy policy that accurately discloses what the VPN collects? Look for a privacyPolicyUrl in app.json and examine what the policy says about network traffic.
Pass criteria: VPN uses platform NetworkExtension/VpnService APIs. At least 1 implementation must be verified. No user traffic payload logging or transmission beyond connection metadata. Required entitlements are declared. Privacy policy accurately discloses network data handling. No ad injection into traffic.
Fail criteria: VPN bypasses platform APIs; VPN logs or transmits user traffic payloads to a server; ad injection detected; required entitlements not declared; privacy policy does not mention network traffic handling.
Skip (N/A) when: No VPN or network extension features detected — no NetworkExtension imports, no VpnService references, no VPN library in package.json, no entitlement files with VPN keys.
Detail on fail: "VPN implementation in ios/Extensions/PacketTunnel.swift sends packet.data to analytics endpoint — user traffic payload is being transmitted to a remote server" or "App uses NetworkExtension framework without the required entitlement in [AppName].entitlements"
Remediation: VPN apps are subject to Apple's enhanced review (guideline 5.4) and Google Play's VPN service policy.
1. Ensure the VPN is implemented solely with NEVPNManager/NETunnelProviderManager (iOS) or VpnService (Android) — no private APIs
2. Remove any code that reads, logs, or transmits packet payload data beyond connection metadata (timestamps, byte counts, connection duration)
3. Declare all required NetworkExtension entitlements in the .entitlements file
4. Apply for Apple's Network Extensions entitlement through the developer portal if you have not already done so
Review the configuration in src/ or app/ directory for implementation patterns.
Cross-reference: For related patterns and deeper analysis, see the corresponding checks in other AuditBuffet audits covering this domain.

External references

external · apple-guideline-5.4 — App Store Review Guidelines 5.4 — VPN Apps
external · google-play-vpn-service — Google Play VPN Service Policy
gdpr · Art. 5 — GDPR Art. 5 — Data minimisation principle (no traffic payload collection)
cwe · CWE-311 — Missing Encryption of Sensitive Data

Taxons

regulatory-conformance privacy-consent

History

2026-04-18·v1.0.0·Initial import from app-store-policy-compliance·automated

Why it matters

Remediation

<!-- ios/MyApp/MyApp.entitlements -->
<key>com.apple.developer.networking.vpn.api</key>
<array>
  <string>allow-vpn</string>
</array>

Detection

ID: vpn-compliance
Severity: low
What to look for: Count all relevant instances and enumerate each. If VPN or network extension signals are detected, examine: (1) Platform API usage — Is the VPN implemented using the platform's native NetworkExtension framework (iOS NEVPNManager, NETunnelProviderManager) or Android's VPN service (VpnService)? Or does it use a third-party library that bypasses platform APIs? Apple requires VPN apps to use the NetworkExtension framework. (2) Traffic data collection prohibition — Trace the VPN tunnel implementation. Does the app log, analyze, or transmit user network traffic payloads to any server? Look for: packet.data, tunnel.readPackets, DNS query logging sent to a remote server, network request URL logging beyond connection metadata. Apple and Google both prohibit VPNs that collect user traffic for advertising, profiling, or analytics. (3) Entitlements — Check ios/[AppName]/[AppName].entitlements for com.apple.developer.networking.vpn.api or com.apple.developer.networking.network-extension. These entitlements must be declared and Apple must approve the app for VPN functionality — it cannot be enabled silently. (4) Ad injection prohibition — Does the VPN inject advertisements into HTTP traffic? Search for any ad network SDK references combined with packet modification logic. (5) Privacy policy disclosure — Does the app have a privacy policy that accurately discloses what the VPN collects? Look for a privacyPolicyUrl in app.json and examine what the policy says about network traffic.
Pass criteria: VPN uses platform NetworkExtension/VpnService APIs. At least 1 implementation must be verified. No user traffic payload logging or transmission beyond connection metadata. Required entitlements are declared. Privacy policy accurately discloses network data handling. No ad injection into traffic.
Fail criteria: VPN bypasses platform APIs; VPN logs or transmits user traffic payloads to a server; ad injection detected; required entitlements not declared; privacy policy does not mention network traffic handling.
Skip (N/A) when: No VPN or network extension features detected — no NetworkExtension imports, no VpnService references, no VPN library in package.json, no entitlement files with VPN keys.
Detail on fail: "VPN implementation in ios/Extensions/PacketTunnel.swift sends packet.data to analytics endpoint — user traffic payload is being transmitted to a remote server" or "App uses NetworkExtension framework without the required entitlement in [AppName].entitlements"
Remediation: VPN apps are subject to Apple's enhanced review (guideline 5.4) and Google Play's VPN service policy.
1. Ensure the VPN is implemented solely with NEVPNManager/NETunnelProviderManager (iOS) or VpnService (Android) — no private APIs
2. Remove any code that reads, logs, or transmits packet payload data beyond connection metadata (timestamps, byte counts, connection duration)
3. Declare all required NetworkExtension entitlements in the .entitlements file
4. Apply for Apple's Network Extensions entitlement through the developer portal if you have not already done so
Review the configuration in src/ or app/ directory for implementation patterns.
Cross-reference: For related patterns and deeper analysis, see the corresponding checks in other AuditBuffet audits covering this domain.