Free VPN Ownership & Security Investigations Update

Demand for free mobile VPN apps is accelerating at breakneck pace, driven by increasingly-frequent internet shutdowns and surveillance around the world.

Incredibly, the same number of free Android VPNs and free iOS VPNs have been downloaded (from official sources) since the start of 2019 as had been downloaded in total up to that point, our research shows.

We published two free VPN investigations in late 2018/early 2019 to investigate this growing phenomenon.

Our reports shared highly disturbing discoveries about both the nature of the companies profiting from this surge in VPN demand and the quality of the VPN service they are providing.

Several months after these reports were published, neither Google nor Apple had acknowledged the widely-reported findings.

In the hope of prompting them into action, we emailed the two companies detailed updates on our findings. This advice showed them exactly which VPNs from each investigation in their respective app stores still posed a risk to consumers and formally requested action to reduce that risk.

We advised Apple and Google that:

• 77% of VPNs flagged as potentially unsafe in our Free VPN Ownership report still pose a risk
• 90% of VPNs identified as potentially unsafe in our Free VPN Risk Index still pose a risk

We wanted to make it as easy as possible for Apple and Google to fix the problem, so our written notices included:

• Detailed lists of the potentially unsafe VPN apps
• Links to the relevant parts of our research
• Links to the relevant listings on the app stores
• Recommendations of what steps to take to improve the situation
• An offer to share our VPN expertise to help set appropriate minimum standards

Google and Apple simply ignored our warnings.

This report makes public the current situation with free VPN apps in the App Store and Play.

Our goal is two-fold:

1. to help the public avoid risking their privacy
2. to put more pressure on Apple and Google to act.

The main body of this report has four chapters as follows:

1. VPN Ownership Investigation: summary of updated and original findings. Jump to chapter.
2. VPN Ownership Investigation: current status of individual VPN apps. Jump to chapter.
3. VPN Risk Index: summary of updated and original findings. Jump to chapter.
4. VPN Risk Index: current status of individual VPN apps. Jump to chapter.

See all our research into the safety of free VPN services.

Our Free VPN Ownership study, published in late 2018, investigated the companies behind the most popular free VPN apps in Apple’s App Store and Google Play.

We examined the 30 VPNs making up the top 20 search results for “VPN” across the two app stores.

We dug deep into the ownership of the companies operating these VPN services, assessed their privacy policies and tested their customer support.

Our key findings made for discomforting reading:

• 59% of these VPNs had hidden Chinese ownership, despite the strict VPN ban in China and that nation’s notoriety for censorship and internet restrictions
• 86% of VPNs had privacy policy flaws, including
  • no policy at all
  • generic policies with no mention of VPN
  • no detailed logging policy
  • data sharing with third parties
• 64% of VPNs had no dedicated website, making it difficult to find corporate information about the service provider

In our review of those findings, we looked at whether the flagged VPNs were still available to download and whether they had updated their policies or increased their transparency.

The results of that review are:

• 77% of VPNs flagged as potentially unsafe when the study was first published continue to pose a privacy risk and yet remain available for download
• The potentially unsafe VPNs represent 67% of all those originally investigated
• The affected VPNs have continued to increase in popularity since we published our findings
  • Google Play downloads of VPNs we flagged as potentially unsafe have soared to 214 million in total, rocketing by 85% in six months
  • Monthly installs from the App Store held steady at around 3.8 million, which represents a relative increase as this total was generated by 20% fewer VPNs than at the start of the year as a number of VPNs are no longer available

Why does this matter?

China is inarguably the enemy of internet freedom. Long notorious for maintaining its Great Firewall domestically, it is now exporting its concept of digital sovereignty that is founded on a highly-censored and surveilled internet.^[1]

VPN use is now strictly banned in China, so it’s highly unlikely that Chinese-run services are operating without the tacit approval of the Chinese government. And that, in turn, begs the question of “what’s in it for China?”

The answer is simple: potential access to the massive amounts of browsing data flowing through VPN networks.

VPN services give China the potential for access to huge amounts of foreign intelligence.

Just as the harsh glare of suspicion is falling on Huawei’s ties with the Chinese state, similar scrutiny should be applied to VPN services.

It’s unacceptable that Google and Apple are keeping their heads buried in the sand rather than weeding out VPN operators that don’t meet strict standards for integrity.

The Free VPN Risk Index, published in February, tested the 150 most-downloaded free VPN apps in Google Play for privacy and performance issues.

To create the Index, we tested for and analyzed:

• DNS, WebRTC and IP leaks
• Intrusive Android app permissions
• Risky functions in the VPN apps’ source code
• Viruses and malware
• Network performance
• Encryption

Our results cast a significant shadow over the entire free VPN app category in Google Play. Our key findings included:

• 25% of VPNs tested positive for DNS leaks
• 85% requested intrusive permissions OR contained functions with potential for privacy abuses
  • 67% requested intrusive permissions, such as location tracking or access to personal info
  • 63% featured functions with the potential for privacy abuses not expected from a VPN app
• 18% of VPNs tested positive for potential viruses or malware
• 38% of VPNs displayed at least one “major abnormality” in network tests

In our review of the findings, published for the first time in this report, we looked at whether flagged VPNs still posed a risk.

We re-ran our battery of tests that included network traffic analysis, virus and malware scans, a review of current permissions, and a scan of the code for potentially unsafe functions.

The results of that review were:

• 74% of the 150 VPNs included in the Risk Index, or 111 VPNs in total, continue to pose a risk to consumers due to persistent security flaws
• The natural attrition rate of apps since that time has been 13% with 20 VPNs no longer available
• The proportion of VPNs still available to download from Google Play that are also potentially unsafe is as high as 85%, ie 111 of 130 VPNs
• 54% of the original 150 VPNs continue to feature intrusive permissions, which is 63% of the 130 VPNs still in the Play store
• 53% of the full list continues to feature potentially unsafe functions, which is 61% of those still available to download. Unsafe functions that persist in the apps’ code include:
  • Camera;->open – used to open the device’s camera
  • LocationManager;->getLastKnownLocation – used to track users’ last location
  • TelephonyManager;->getDeviceId – used to get device info like IMEI or phone number
• Potential viruses or malware were detected in 21% of the full list, actually an increase of three percentage points since February and nearly a quarter (24%) of those VPNs still available to download from Play
• One positive development – potentially prompted by our scrutiny of the category – is a significant drop in DNS and other leaks, such as WebRTC and IP leaks.
  • 70% of VPNs flagged as leaky (28 apps) plugged those leaks
  • 7% of the full VPNs apps currently leak, or 8% of those still available.
• 10% of VPNs made positive improvements to make themselves safer for their users, although most didn’t go far enough to lose their red flags completely
• We discovered 10% of VPNs are now even riskier than before due to the introduction of unsafe permissions and functions, or where scans detected new instances of malware or viruses
• The potentially unsafe VPNs in the Risk Index have absolutely skyrocketed in popularity since we first published our findings, more than doubling from 260 million for the entire Risk Index in February to 518 million for the risky apps alone – all in less than six months.

Why Does This Matter?

The explosion in demand for VPN services is attracting those looking to profiteer from the spreading incursions on internet freedom.

The VPNs themselves are infested with intrusive advertising while the wealth of browsing data flowing through the VPN networks is a lucrative source of revenue for those willing to sell it onto marketers.

What’s most disturbing is that this profiteering is actually the lesser of the risks our tests have uncovered.

Truly malicious actors could easily abuse their access to this data to commit identity theft and fraud. There’s also the risk posed by the disturbingly high malware detection stat.

Google is simply ignoring significant privacy risks for over a half billion users of free VPN Android apps worldwide

So what should Google do?

1. Acknowledge VPN apps to be more sensitive than other types of app
2. Ban the use of intrusive permissions and privacy-unfriendly functions
3. Require devs to demonstrate that their apps neither leak nor contain malware

Until this happens however, the free VPN category on Google Play will remain a privacy and security minefield for unsuspecting users, who are often desperate to circumvent repressive censorship measures in their home countries.

Full methodologies for the original research can be viewed on their respective reports: VPN Ownership and Risk Index.

For the VPN Ownership review in this report, we reviewed each app’s store listing and re-assessed the privacy policies to determine their risk status. This information was supplied to Apple and Google.

For the Risk Index review, we re-ran the tests used in the original research. We downloaded the binaries of the apps that were still available and re-ran the VirusTotal scans for analysis. We also installed the apps on an Android device and analyzed network traffic in a controlled test environment using Wireshark to corroborate leak test results. The results were sent to Google.

The results of these recent tests can be viewed in this Risk Index update data source.

^{[1] https://supchina.com/2019/07/02/chinas-digital-imperialism-shaping-the-global-internet/ ↩}