The Free VPN Risk Index (Android Apps), published in February, tested the 150 most-downloaded free VPN apps in Google Play for privacy and performance issues.
To create the Index, we tested for and analyzed:
- DNS, WebRTC and IP leaks
- Intrusive Android app permissions
- Risky functions in the apps’ source code
- Viruses and malware
- Network performance
- Encryption
Our results cast a significant shadow over the entire free VPN app category in Google Play. Our key findings included:
- 25% of apps tested positive for DNS leaks
- 85% requested intrusive permissions OR contained functions with potential for privacy abuses
- 67% requested intrusive permissions, such as location tracking or access to personal info
- 63% featured functions with the potential for privacy abuses not expected from a VPN app
- 18% of apps tested positive for potential viruses or malware
- 38% of apps displayed at least one “major abnormality” in network tests
In our review of the findings, published for the first time in this report, we looked at whether flagged apps still posed a risk.
We re-ran our battery of tests that included network traffic analysis, virus and malware scans, a review of current permissions, and a scan of the code for potentially unsafe functions.
The results of that review were:
- 74% of the 150 apps included in the Risk Index, or 111 apps in total, continue to pose a risk to consumers due to persistent security flaws
- The natural attrition rate of apps since that time has been 13% with 20 apps no longer available
- The proportion of apps still available to download from Google Play that are also potentially unsafe is as high as 85%, ie 111 of 130 apps
- 54% of the original 150 apps continue to feature intrusive permissions, which is 63% of the 130 apps still in the Play store
- 53% of the full list continues to feature potentially unsafe functions, which is 61% of those still available to download. Unsafe functions that persist in the apps’ code include:
Camera;->open
– used to open the device’s camera
LocationManager;->getLastKnownLocation
– used to track users’ last location
TelephonyManager;->getDeviceId
– used to get device info like IMEI or phone number
- Potential viruses or malware were detected in 21% of the full list, actually an increase of three percentage points since February and nearly a quarter (24%) of those still available to download from Play
- One positive development – potentially prompted by our scrutiny of the category – is a significant drop in DNS and other leaks, such as WebRTC and IP leaks.
- 70% of apps flagged as leaky (28 apps) plugged those leaks
- 7% of the full 150 apps currently leak, or 8% of those still available.
- 10% of apps made positive improvements to make themselves safer for their users, although most didn’t go far enough to lose their red flags completely
- We discovered 10% of apps are now even riskier than before due to the introduction of unsafe permissions and functions, or where scans detected new instances of malware or viruses
- The potentially unsafe apps in the Risk Index have absolutely skyrocketed in popularity since we first published our findings, more than doubling from 260 million for the entire Risk Index in February to 518 million for the risky apps alone – all in less than six months.
Why Does This Matter?
The explosion in demand for VPN services is attracting those looking to profiteer from the spreading incursions on internet freedom.
The apps themselves are infested with intrusive advertising while the wealth of browsing data flowing through the VPN networks is a lucrative source of revenue for those willing to sell it onto marketers.
What’s most disturbing is that this profiteering is actually the lesser of the risks our tests have uncovered.
Truly malicious actors could easily abuse their access to this data to commit identity theft and fraud. There’s also the risk posed by the disturbingly high malware detection stat.
Google is simply ignoring significant privacy risks for over a half billion users of free VPN Android apps worldwide
So what should Google do?
- Acknowledge VPN apps to be more sensitive than other types of app
- Ban the use of intrusive permissions and privacy-unfriendly functions
- Require devs to demonstrate that their apps neither leak nor contain malware
Until this happens however, the free VPN category on Google Play will remain a privacy and security minefield for unsuspecting users, who are often desperate to circumvent repressive censorship measures in their home countries.