Free VPN Investigations Update (August 2019)

Our Free VPN Ownership study, published late last year, investigated the companies behind the most popular free VPN apps in Apple’s App Store and Google Play.

We examined the 30 apps making up the top 20 search results for “VPN” across the two app stores.

We dug deep into the ownership of the companies operating these services, assessed their privacy policies and tested their customer support.

Our key findings made for discomforting reading:

• 59% of apps had hidden Chinese ownership, despite the strict VPN ban in China and that nation’s notoriety for censorship and internet restrictions
• 86% of apps had privacy policy flaws, including
  • no policy at all
  • generic policies with no mention of VPN
  • no detailed logging policy
  • data sharing with third parties
• 64% of apps had no dedicated website, making it difficult to find corporate information about the service provider

In our review of those findings, we looked at whether flagged apps are still available to download and whether they had updated their policies or increased their transparency.

The results of that review are:

• 77% of apps flagged as potentially unsafe when the study was first published continue to pose a privacy risk and yet remain available for download
• The potentially unsafe apps represent 67% of all those originally investigated
• The affected apps have continued to increase in popularity since we published our findings
  • Google Play downloads of apps we flagged as potentially unsafe have soared to 214 million in total, rocketing by 85% in six months
  • Monthly installs from the App Store held steady at around 3.8 million, which represents a relative increase as this total was generated by 20% fewer apps than at the start of the year as a number of apps are no longer available

Why does this matter?

China is inarguably the enemy of internet freedom. Long notorious for maintaining its Great Firewall domestically, it is now exporting its concept of digital sovereignty that is founded on a highly-censored and surveilled internet.

VPN use is now strictly banned in China, so it’s highly unlikely that Chinese-run services are operating without the tacit approval of the Chinese government. And that, in turn, begs the question of “what’s in it for China?”

The answer is simple: potential access to the massive amounts of browsing data flowing through VPN networks.

VPN services give China access to huge amounts of foreign intelligence

Just as the harsh glare of suspicion is falling on Huawei’s ties with the Chinese state, similar scrutiny should be applied to VPN services.

It’s unacceptable that Google and Apple are keeping their heads buried in the sand rather than weeding out any VPN operators that don’t meet strict standards for integrity.

The Free VPN Risk Index (Android Apps), published in February, tested the 150 most-downloaded free VPN apps in Google Play for privacy and performance issues.

To create the Index, we tested for and analyzed:

• DNS, WebRTC and IP leaks
• Intrusive Android app permissions
• Risky functions in the apps’ source code
• Viruses and malware
• Network performance
• Encryption

Our results cast a significant shadow over the entire free VPN app category in Google Play. Our key findings included:

• 25% of apps tested positive for DNS leaks
• 85% requested intrusive permissions OR contained functions with potential for privacy abuses
  • 67% requested intrusive permissions, such as location tracking or access to personal info
  • 63% featured functions with the potential for privacy abuses not expected from a VPN app
• 18% of apps tested positive for potential viruses or malware
• 38% of apps displayed at least one “major abnormality” in network tests

In our review of the findings, published for the first time in this report, we looked at whether flagged apps still posed a risk.

We re-ran our battery of tests that included network traffic analysis, virus and malware scans, a review of current permissions, and a scan of the code for potentially unsafe functions.

The results of that review were:

• 74% of the 150 apps included in the Risk Index, or 111 apps in total, continue to pose a risk to consumers due to persistent security flaws
• The natural attrition rate of apps since that time has been 13% with 20 apps no longer available
• The proportion of apps still available to download from Google Play that are also potentially unsafe is as high as 85%, ie 111 of 130 apps
• 54% of the original 150 apps continue to feature intrusive permissions, which is 63% of the 130 apps still in the Play store
• 53% of the full list continues to feature potentially unsafe functions, which is 61% of those still available to download. Unsafe functions that persist in the apps’ code include:
  • Camera;->open – used to open the device’s camera
  • LocationManager;->getLastKnownLocation – used to track users’ last location
  • TelephonyManager;->getDeviceId – used to get device info like IMEI or phone number
• Potential viruses or malware were detected in 21% of the full list, actually an increase of three percentage points since February and nearly a quarter (24%) of those still available to download from Play
• One positive development – potentially prompted by our scrutiny of the category – is a significant drop in DNS and other leaks, such as WebRTC and IP leaks.
  • 70% of apps flagged as leaky (28 apps) plugged those leaks
  • 7% of the full 150 apps currently leak, or 8% of those still available.
• 10% of apps made positive improvements to make themselves safer for their users, although most didn’t go far enough to lose their red flags completely
• We discovered 10% of apps are now even riskier than before due to the introduction of unsafe permissions and functions, or where scans detected new instances of malware or viruses
• The potentially unsafe apps in the Risk Index have absolutely skyrocketed in popularity since we first published our findings, more than doubling from 260 million for the entire Risk Index in February to 518 million for the risky apps alone – all in less than six months.

Why Does This Matter?

The explosion in demand for VPN services is attracting those looking to profiteer from the spreading incursions on internet freedom.

The apps themselves are infested with intrusive advertising while the wealth of browsing data flowing through the VPN networks is a lucrative source of revenue for those willing to sell it onto marketers.

What’s most disturbing is that this profiteering is actually the lesser of the risks our tests have uncovered.

Truly malicious actors could easily abuse their access to this data to commit identity theft and fraud. There’s also the risk posed by the disturbingly high malware detection stat.

Google is simply ignoring significant privacy risks for over a half billion users of free VPN Android apps worldwide

So what should Google do?

1. Acknowledge VPN apps to be more sensitive than other types of app
2. Ban the use of intrusive permissions and privacy-unfriendly functions
3. Require devs to demonstrate that their apps neither leak nor contain malware

Until this happens however, the free VPN category on Google Play will remain a privacy and security minefield for unsuspecting users, who are often desperate to circumvent repressive censorship measures in their home countries.

Full methodologies for the original research can be viewed on their respective reports: VPN Ownership and Risk Index.

For the VPN Ownership review, we reviewed each app’s store listing and re-assessed the privacy policies to determine their risk status. This information was supplied to Apple and Google.

For the Risk Index review, we re-ran the tests used in the original research. We downloaded the binaries of the apps that were still available and re-ran the VirusTotal scans for analysis. We also installed the apps on an Android device and analysed network traffic in a controlled test environment using Wireshark to corroborate leak test results. The results were sent to Google.

The results of these recent tests can be viewed in this Risk Index update data source, which is also available as a PDF download.