SeWG: Security-Enhanced WireGuard for Android Based on TEE

WireGuard, a novel VPN proposed in 2017, has been widely accepted in the industry, since it is simpler, leaner and more efficient than traditional VPNs. However, WireGuard ignores the risks of key stolen and abused on both desktop and mobile platform. These vulnerabilities might be utilized by attackers to sneak into the protected network through VPN tunnel provided by WireGuard easily without permission. It is especially obvious on mobile platforms, since they are mostly online all day and the attack scenarios are more complicated and changeable. In this paper, we propose an enhanced WireGuard Android version called SeWG based on TEE. We use TEE (Trusted Execution Environment) technology to achieve secure key storage, preventing the misuse of the private key. And we design corresponding dynamic authentication mechanisms for user mode and kernel mode respectively, to prevent malware from sneaking into the secure tunnel. Finally, we implement SeWG scheme on QSEE, the TEE platform developed by Qualcomm. Our experimental results demonstrate that SeWG can work well with high efficiency.