Over 2.5 billion free Android VPN users at risk of data leaks

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

Almost 90% of free VPN services in the Play Store leak your data, over two-thirds share your sensitive information with third parties, and more than half include at least one potential privacy risk on their code. 

These are the shocking findings revealed by a new Top10VPN study. Head of Research, Simon Migliano, spent over two months analyzing the top 100 most popular free Android VPN apps. He tested encryption protocols, VPN tunnel stability, app permissions, third-party tracking, and the most common types of data leaks, among other things. 

The best VPN services can spoof a person's IP address and encrypt internet connections to conceal online activities. These results are then extremely worrying considering the tested VPN apps count for 2.5 billion worldwide installs between them—allegedly failing to the promises of boosting their users' online privacy. 

A worsening market

"The free VPN market is flooded with poor quality apps whose only justification for their existence is to generate advertising revenue for their developers," Migliano told me. "This was the case when I first started investigating free Android VPNs six years ago and it’s only gotten worse since."

For starters, reliable encryption—which is supposed to be at the core of virtual private network software—is especially lacking among the most downloaded freebies, according to Migiano's tests. He found several failures, ranging from total exposure of internet activity to leaking details of websites visited.

Contrary to secure VPN providers, these apps are also reported to use weak and outdated encryption protocols. For instance, four providers still use the 30-year-old SSLv2 to establish a VPN tunnel instead of the stronger IKEv2/IPsec. While at least 35 encrypt traffic with a 128-bit rather than the industry standard 256-bit encryption.

On data leak protection, the free providers analyzed were especially bad. "I was most surprised at how many VPNs leaked," said Migiano. "Almost 90% leaked your data in some way. That’s completely unacceptable."

These data leakages included original IP address details, DNS requests, and WebRTC. SuperVPN was one of the apps affected. The provider already made headlines a year ago for breaching over 360 million user data records online.

Chart showing the number of free VPN Android apps that request permissions with the highest risk to privacy.

(Image credit: Top10VPN)

Besides an unreliable and insecure infrastructure, these free services also facilitate user-tracking and data-sharing, putting their users' privacy further at risk.

As the graph above shows, many of these apps request invasive user permissions that clash with what a VPN should do—protect your data. Specifically, 69 out of 100 apps request at least one of these high-risk permissions. These include location tracking (20), access to sensitive data (9), devices scanning for installed apps (46), use of camera (10), and ad tracking (82).

The latter, especially, does not just defeat the object of using a VPN—to prevent online tracking—but also negatively affects the overall experience.

"The user experience of these apps is absolutely shocking. The amount of ads borders on offensive with long, unskippable video ads before the app allows you to even connect to a VPN server," Migliano told me. "The apps are full of dark patterns around signing up for over-priced paid subscriptions and tricking you into clicking ads instead of closing them. The VPN connections themselves are slow and very unreliable."

The most worrying finding here is that over half of providers (54) allow these types of invasive tracking right from their proprietary code. This means that VPN developers willingly decided to do so.

According to the research, BeePass, Urban VPN, Leaf VPN and Hide My IP were the only apps with no detected privacy-risking code at all. 

You can see the full list of VPNs tested and the security risk uncovered on this spreadsheet here

How to avoid unsecure VPNs

This thorough analysis follows a long series of incidents that show the risks of using an unsecured VPN service to protect online data. This is especially troubling as internet shutdowns are on the rise and, subsequently, people are in dire need of security and circumvention tools on a very limited budget.

That's why Migliano recommended signing up for freemium VPN apps. As he explained, these providers don't need to rely on advertising to keep the service going. 

"There’s often a trade-off with data caps or limited servers, but that’s a better compromise from a privacy perspective than using an ad-supported service that harvests your data and potentially exposes your internet activity," he added.

At TechRadar, our experts review VPN apps regularly, so I suggest checking our updated free VPN ranking. Our #1 at the time of writing, PrivadoVPN, offers 10 GB of data at full speed every month, followed by unlimited usage via a single 1 Mbps location. Our #2 choice, Proton VPN Free, has no cap on data, but offers fewer locations. 

There are also some premium VPNs offering free subscriptions for journalists, activists, NGOs, and other people at high risk of surveillance and censorship, including Proton VPN, Surfshark, and IPVanish. I suggest reaching out to these companies if you feel you're at risk. 

I also suggest making the most of VPN free trials. While Surfshark offers a seven-day free trial for Android users, other providers operate on a 30-day money-back guarantee policy. This means you'll need to invest the subscription money to be able to try out the product.

Disclaimer

We test and review VPN services in the context of legal recreational uses. For example:

1. Accessing a service from another country (subject to the terms and conditions of that service).

2. Protecting your online security and strengthening your online privacy when abroad.

We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com