New Research: 88% of free Android VPNs leak, 71% share data
Hi, it's Simon here from Top10VPN. After several months of hard graft, this week I was able to finally publish a huge piece of research into the security flaws of free Android VPNs.
You can read it here: Free Android VPN Security Flaws: 100 Apps Tested
It was a major undertaking to test the 100 most popular VPNs on the Play Store and had I known quite how much work it would be when I started, I probably wouldn't have tried to investigate so many at once!
It was worth doing though as In the five or so years since I last did something like this, the popularity of VPNs has literally gone through the roof.
In late 2018, worldwide downloads of the 100 most popular free Android VPNs sat at around around 260 million. Today, and a thousand-fold increase later, that number is more than 2.5 billion.
Properly exploring the reasons for that stratospheric increase could fill a whole newsletter on its own.
Suffice it to say that the rise in internet shutdowns around the world has had a big part to play. As has the growing public awareness of what ISPs do with their logs of your browsing activity.
More prosaically, for a lot of people though, it’s frustration at changes in the streaming landscape that have nudged them towards the VPN section of app stores.
So what did I find?
Before I get into the most shocking stats, I want to share a little bit of what it was like to spend so much time with these VPNs.
Dear reader, it was excruciating.
I have never seen such a shoddy collection of poorly-designed, advertising-riddled, half-assed junk in all my days.
Apps often didn’t work properly and those that did had ads stuffed at every turn, delaying every interaction to force you to watch unskippable videos for gambling sites or questionable crypto schemes.
Want to choose a server? Watch an ad. Connect your VPN? Ad. Want to disconnect and just get on with your life? No! Funnily enough, yet another ad!
Dark patterns were everywhere, trying to trick you into paying for subscriptions that were far more expensive than standard paid VPN fees, or to click on ads rather than close them.
As you can no doubt tell, I’m not a fan. Anyway, I spent several months using these VPNs so hopefully you don’t have to and this is what I found.
One of the biggest issues is that by using a free Android VPN, there’s a very high chance that you will expose your internet activity, as 88% suffer from some kind of data leak.
Most common were DNS leaks but almost one in five (17%) experienced multiple leaks at once, i.e. some combination of IP, DNS and WebRTC leak.
If you want to know more about these leaks and some of the encryption issues I found, watch this short video I made. Be gentle, it’s the first video I’ve made all by myself in well over a decade!
Perhaps the biggest problem with free VPNs though is that without increasingly aggressive advertising, revenue does not keep pace with the rising cost of operating the VPN servers required to keep the app functional.
The consequences of this became apparent when I captured and analyzed their network traffic.
Combing through the server requests made by each VPN app, I found that 71% of them shared my personal data with third parties, including Facebook, Yandex and controversial data brokers like Kochava.
This is typically done via software libraries (SDKs) published by advertisers and marketing firms that developers can drop into their apps. Over 80% of these VPNs contained this kind of third-party code but most concerning were the 15 VPNs that contained Bytedance SDKs.
Any kind of adtech in a privacy product is bad enough but smuggling code into a VPN from a company like Bytedance, which has been accused of spying on its users on multiple occasions, feels like rubbing salt in the wound.
As well as leak testing and traffic sniffing, I also got my hands dirty looking through source code.
Over half (53%) of the VPNs I looked at contained at least one function in their own source code, i.e. not in a SDK, that posed a potential risk to user privacy and requested permission to run it.
For some that function was related to location tracking (13%), for others it was tracking your unique advertising identifier (31%) or scanning your device for what other apps were installed (22%).
Hidden in the source code of a third of free VPNs were declarations that the app used certain hardware features of the device, such as cameras (15%) or location-tracking hardware, including GPS (14%).
So were all the free VPNs I looked at beyond redemption? Fortunately for the many people who need a VPN but aren't in a position to pay for one, there were a handful that I would be happy to use.
These are typically the freemium versions of paid services, such as Proton and Windscribe, as they don’t have to rely on targeted advertising to keep the lights on.
Sure, you may have to compromise in terms of data caps or server selection but it’s infinitely preferable to the grubby world of their competitors.
If you’re a free Android VPN user, I urge you to read the report itself, as there were many more disturbing findings that I just didn’t have space for to talk about today.
What We’ve Been Reading
Dark Reading: Attacks Surge on Check Point's Recent VPN Zero-Day Flaw
An internet monitoring firm has detected exploitation attempts targeting the recent Check Point zero-day VPN vulnerability from more than 780 unique IP addresses in the past week. Thousands of devices are thought to be affected by the flaw.Bleeping Computer: US dismantles 911 S5 botnet used for cyberattacks, arrests admin
US authorities have taken down “the world’s largest botnet” and arrested the man behind it. The botnet was spread through malicious VPNs that bundled proxy backdoors and is thought to have been used to perpetrate billions of dollars of fraud while rented out to cybercriminals.Android Authority: Google quietly retires Google One branding from its VPN ahead of June shutdown
Ahead of Google One VPN being discontinued later this month, rebranding has already begun. The app’s Play Store listing now reflects the new “Pixel VPN by Google” brand.404 Media: Google Leak Reveals Thousands of Privacy Incidents
An internal Google database obtained by 404 Media shows the search giant recording kids' voices, saving vehicle license plates from Street View, and thousands of other self-reported incidents.