investigations

Free VPN iOS Apps Data Sharing Investigation

Apple is failing to enforce its strict new third-party data-sharing rules for VPN apps with as many as 80% of the most popular free VPN apps appearing to be in breach of the guidelines.
Free VPN Data Sharing: VPN apps in the Apple App Store
Simon Migliano
By Simon Migliano

UPDATE (11 July 2019 16:30 GMT) Updated with responses from AnchorFree Inc, and the developer VPN Proxy Master and TurboVPN. We will update further if any other devs respond.

  • June 3: Apple introduced total prohibition of 3rd-party data sharing for VPN apps
  • 80% of top 20 free VPN apps in the App Store appear to be in breach of rules as of today
  • 6 million monthly downloads for non-compliant apps and all are still available

The guidelines changes follow revelations that almost 60% of most popular free VPNs are secretly Chinese-owned, often with serious privacy flaws.

Introduction

On June 3, Apple updated its App Store Review Guidelines, the set of detailed rules all iOS developers must follow to ensure their apps are approved for inclusion in Apple’s App Store.

As part of this update, and for the first time, VPN apps have been singled out as a special category with stricter requirements around third-party data sharing. The new Guideline 5.4 is very clear:

Apps offering VPN services may not sell, use, or disclose to third parties any data for any purpose, and must commit to this in their privacy policy.

The guideline goes on to state that apps failing to comply with the requirements face removal from the App Store and expulsion from the Apple Developer Program.

In order to determine whether Apple was actually enforcing these new guidelines and raising what had previously been a very low standard, we identified the top 20 free VPN apps by current monthly download and reviewed their privacy policies.

We found 16 (80%) of the reviewed apps to have privacy policies with elements appearing to be non-compliant with Guideline 5.4.

We also assessed a further app as non-compliant. This was due to a lack of substantive detail in its extremely thin privacy policy, which undermined the reasonable reliability of its claims to never share any user data with any third party.

Jump straight to app-by-app findings

Practices appearing to flout Apple’s new rules largely fell into the following categories:

  1. Location data sharing to facilitate geo-targeted ads
  2. “Non-personally identifiable visitor information” sharing for “marketing, advertising, or other uses”
  3. Interests-based advertising by third-party ad partners
  4. Collection of IP addresses by 3rd parties for “marketing attribution purposes”

We notified non-compliant VPN providers prior to publishing our findings. At the time of publication, two developers had reacted by rushing out updates to their privacy policies. However we remain unconvinced that these changes were made in good faith or that business practices have genuinely changed as a result. We have linked to screenshots of all privacy policies as they were prior to publication.

The changes do not affect the headline findings of this study.

This study of free VPN apps builds on our recent Free VPN Ownership Investigation, which found that nearly 60% of the most popular free VPNs were secretly Chinese-owned, often with serious privacy flaws.

As a result of that investigation we called on Apple to improve its policies in order to raise the standard of VPN apps.

Unfortunately, aside from announcing this new guideline, Apple continues to refuse to acknowledge our findings. The problems we identified in our report persist, putting at risk the privacy of anyone using these apps.

There are a small number of free VPN apps that are safe to use, however we recommend consumers avoid the problems inherent in the ad-supported business model for privacy and anti-censorsip tools and use a reputable paid VPN service instead.

Top 20 Apps: Summary Table

App Name Developer Downloads (Monthly) 3rd-party Data Sharing
VPN Proxy Master ALL Connected Co., Ltd 800K Non-compliant
Hotspot Shield AnchorFree, Inc. 800K Non-compliant
VPN – Super Unlimited Proxy Mobile Jump 800K Non-compliant
Betternet AnchorFree, Inc. 700K Non-compliant
TurboVPN ALL Connected Co., Ltd 600K Non-compliant
X-VPN Free Connected Ltd 500K Non-compliant
VPN 360 TouchVPN 400K Non-compliant
VPN Proxy Vault Appsverse Inc. 400K Compliant
Secured VPN Pro Contrast Media Inc 300K Non-compliant
VPN 24 24apps GmbH 300K Non-compliant
Free VPN FreeVPN.org 200K Non-compliant
SkyVPN Sentry Secure Communication 100K Compliant
Psiphon Psiphon, Inc. 100K Non-compliant
TunnelBear TunnelBear, LLC 100K Compliant
#VPN Apalon Apps 80K Non-compliant
VPN – Unlimited Best VPN Proxy Mobile Jump 80K Non-compliant
VPN for iPhone Brain Craft Ltd 70K Non-compliant
TouchVPN AnchorFree, Inc. 70K Non-compliant
HOTSPOT VPN HotSpot VPN Ltd 70K Non-compliant
Hexatech AnchorFree, Inc. 70K Non-compliant

Detailed Findings

VPN Proxy Master & Turbo VPN

App Details

Developer: ALL Connected Co., Ltd

VPN Proxy Master:

Turbo VPN:

Privacy Policy:

Both apps use the same privacy policy at the same URL

Verdict: Non-compliant

The privacy policy may state we won’t share the advertisers any your personal information or any usage information without your prior consent, but there is nevertheless a long list of data sharing practices identified with the most relevant as follows:

How we share information… Aggregate Information. Where legally permissible, we may use and share information about users with our partners in aggregated or de-identified form that can’t reasonably be used to identify you.

Third-Party Partners. We also share information about users with third-party partners in order to receive additional publicly available information about you.

Guideline 5.4 is very clear that no data sharing is permissible, which renders this policy non-compliant.

More broadly, this is a privacy policy that has been much improved since our previous investigation with a lot more detail, although question marks over Chinese ownership and international data transfers remain.

Note: ALL Connected immediately published an updated privacy policy on June 11, the day after we contacted them regarding our findings. However the clauses noted above remain in place.

[Update 13 June] We received a polite email from the developer’s lawyers that was at pains to emphasise that as they do not collect any senstive data in the first place, they are unable to share anything.

They also stated that they “never share any information about users with third-party beyond the Privacy Policies, APPLE Guidelines, US laws related to personal data protection or GDPR.”

They went on to say, “For the avoidance to doubt, the statement cited in your email has been deleted from the latest Privacy Policies.”

To clarify, what has been removed is the clause above beginning “Third-Party Partners”. The other clause remains in place.

While the data being shared may well be not personally-identifiable, given Apple’s guidelines clearly state that VPN apps may not share any data whatsoever then these apps appear to remain non-compliant.


Hotspot Shield Free, Betternet, TouchVPN, Hexatech

App Details

Developer: AnchorFree, Inc.

Hotspot Shield:

Betternet:

TouchVPN:

Hexatech:

Privacy Policy:

The privacy policies for Hotspot Shield, Betternet and TouchVPN are hosted individually but are substantively the same. Hexatech directs users to the Betternet policy and does not have its own individual policy.

Hotspot Shield

Betternet

TouchVPN

Hexatech

Verdict: Non-compliant

The following clause that appears in all these privacy policies, with the relevant name of the app referenced, is clearly in breach of Guideline 5.4.

We may share your general (city level) location. Additionally, advertisers may be able to collect certain information independently from you or your device when serving ads from the Hotspot Shield application, including your device’s advertising ID, IMEI, MAC address, and wireless carrier.

Arguably the additional clause below might avoid being in non-compliance as third parties collect the data directly rather than it being provided to them. We would argue it’s certainly against the spirit of the guidelines and not privacy-friendly.

Our service providers may collect IP addresses for marketing attribution purposes.

Overall, AnchorFree products do have comprehensively transparent privacy policies. This makes it possible at least to make an informed decision about the privacy trade-off required for access to a high-quality free service even if that service is more aggressively monetized than we are generally comfortable with.

UPDATE: AnchorFree responded and rather than provide any explanation of the targeted advertising in their apps, instead stated that we were “misinterpreting Apple guidelines” and that Apple didn’t really mean the ban literally. This was a very disappointing response compared to previous efforts to be transparent.


VPN – Super Unlimited Proxy & VPN – Unlimited Best VPN Proxy

App Details

Developer: Mobile Jump

VPN – Super Unlimited Proxy:

VPN – Unlimited Best VPN Proxy:

Privacy Policy:

The same privacy policy applies to both apps and users are directed to the same URL.

Verdict: Non-compliant

The following clause appears to breach Guideline 5.4 prohibition on sharing any data at all with third parties:

We may share your data with other MobileJump’s affiliate companies in or outside Europe. We may also share your data with third parties, to help manage our business and deliver services.

Overall, Mobile Jump has improved its privacy policy since our previous investigation by making it much more comprehensive – which is positive.

However, there remain a number of privacy issues and question marks regarding this policy in addition to its compliance or otherwise with the new Apple guidelines. There are also unanswered questions about the company being based in mainland China despite the strict VPN ban in that country.

Mobile Jump neither responded to our communication of our findings nor updated their policies.


X-VPN

App Details

Developer: Free Connected Ltd

Privacy Policy:

https://xvpn.io/?n=best.free.xvpn.PrivacyPolicyPage

Verdict: Compliant

The X-VPN privacy policy does not contain any elements that would cause compliance issues with Apple’s new guidelines. Nor are there any broader privacy policy issues with this VPN.

Note that there do remain potential red flags however due to the Chinese ownership of the company (registered in Hong Kong but with owners based in mainland China) and lack of corporate transparency.


VPN 360 – Unlimited VPN Proxy

App Details

Developer: TouchVPN

Privacy Policy:

Verdict: Non-compliant

The following privacy policy clause appears to violate Guideline 5.4, as while it may not relate to data that can be traced back to individuals, it is nevertheless user data:

However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.

We would also highlight the following:

We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential.

Given that the policy is hosted on a free WordPress domain and has not been updated since 2017 despite the app’s enduring popularity, we do not feel the VPN provider has done enough to earn the degree of trust required to take this policy at face value.

This harsh assessment is compounded by the fact the developer has quietly changed its name on the App Store from Infinity Software Co., Limited to TouchVPN.

Of course, it may be coincidence that this new name featured in a prominent position on its App Store listing is the same as that of a more established and trusted product.

However, we don’t find it reassuring that there’s no explanation of how “TouchVPN” relates to the existing brand, references to which remain on the page in several instances: for copyright, a support email address domain and in the domains of the terms of service and a second privacy policy buried in the small print of the store listing.

This second policy has the same text as the main policy linked to from the App Store listing but this time is hosted on a customer support platform domain (Zendesk) and was created more recently, as it was last updated at the end of 2018.

TouchVPN / Infinity Software neither responded to our communication of our findings nor updated their policies.


VPN Proxy Vault – Unlimited VPN

App Details

Developer: Appsverse Inc.

Privacy Policy:

https://vpn.appsverse.com/privacy.html

Verdict: Compliant

The VPN Proxy Vault privacy policy does not contain any elements that would cause compliance issues with Apple’s new guidelines. Nor are there any broader privacy policy issues with this VPN.


Secured VPN Pro

App Details

Developer: Contrast Media Inc

Privacy Policy:

Verdict: Non-compliant

This privacy policy is in clear violation of the guidelines as it shares location data with advertisers (although not current specific location) and upsells to a paid version of the product on the basis of withholding that data.

When you visit the mobile application, we may use GPS technology (or other similar technology) to determine your current location in order to determine the city you are located within and display a location map with relevant advertisements. If you are subscribed to the use of the Premium package, then no single piece of information will be shared with advertisers.

There are further apparent breaches as specified in the following:

We may disclose User provided and Automatically Collected Information: …. With our trusted services providers who work on our behalf, do not have an independent use of the information we disclose to them, and have agreed to adhere to the rules set forth in this privacy statement.

Aside from the above issues of non-compliance, this policy – which is hosted on a public Google Doc – raises a number of privacy red flags. It not only logs user browsing data, which is severely anti-privacy, but also has an unreasonably long data retention policy. This is an app to absolutely avoid and it should not be available for download in our view.

Contrast Media Inc neither responded to our communication of our findings nor updated their policies.


VPN 24: Hotspot VPN for iPhone

App Details

Developer: 24apps GmbH

Privacy Policy:

Verdict: Non-compliant

There are two aspects of this policy in conflict with Guideline 5.4:

The first appears clear cut in that it explicitly states that user data is shared with third parties involved in “marketing [and] advertising” and other companies that share the developer’s parent company.

… the main sharing of users’ information is with service providers and partners who assist us in operating the services, with other IAC Group companies …

With our service providers and partners. We use third parties to help us operate and improve our services. These third parties assist us with various tasks, including data hosting and maintenance, analytics, marketing, advertising and security operations. We follow a strict vetting process prior to engaging any service provider or working with any partner.

With other IAC Group companies …

The second potentially-infringing area relates to personalized ads. It is possible that this does not breach the guidelines on a technicality, ie by virtue of the fact that the third-parties collect the user data directly from within the app itself via embedded ad tech, but it certainly contradicts the spirit of the new rules.

It should be noted though that this a very comprehensive and transparent policy, which is commendable as it allows potential users to make more of an informed choice about their privacy.

24apps GmbH neither responded to our communication of our findings nor updated their policies.


Free VPN by FreeVPN.org

App Details

Developer: FreeVPN.org

Privacy Policy:

Verdict: Non-compliant

FreeVPN.org may state that they don’t “sell trade, or otherwise transfer to outside parties your personally identifiable information” but the following practices relating to advertising would appear to fall foul of the new rules.

Our apps may include third-party advertising networks. These networks determine independently how to use your information, so review their linked privacy policies to learn more.

However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.

The policy overall is sorely lacking in detail about VPN-specific privacy matters, such as any sort of logging or data retention policies and should not be considered acceptable for a VPN app.

FreeVPN.org neither responded to our communication of our findings nor updated their policies.


SkyVPN

App Details

Developer: Sentry Secure Communication

Privacy Policy:

http://www.skyvpn.us/privacy.html

Verdict: Compliant

The SkyVPN privacy policy does not contain any elements that would cause compliance issues with Apple’s new guidelines.

There are outstanding questions to answer, however, from our earlier investigation due to the highly opaque nature of this VPN provider that we revealed to be secretly owned by Tengzhan Hongkong Limited (騰展香港有限公司). This is a company registered in Hong Kong whose sole shareholder is based on the Chinese mainland, where VPNs are strictly banned.


Psiphon

App Details

Developer: Psiphon, Inc.

Privacy Policy:

Verdict: Non-compliant

While Psiphon should be commended for its professionalism and transparency, Guideline 5.4 does not make allowances based on the granularity of data shared with third parties.

The following is therefore in apparent breach of the rules:

When sharing with third parties, Psiphon only ever provides coarse, aggregate domain-bytes statistics. We never share per-session information or any other possibly-identifying information.

This sharing is typically done with services or organizations we collaborate with — as we did with DW a few years ago. These statistics help us and them answer questions like, “how many bytes were transferred through Psiphon for DW.com to all users in Iran in April?”

Again, we specifically do not give detailed or potentially user-identifying information to partners or any other third parties.

While part of our prior investigation, there are no significant red flags outstanding for Psiphon.

Psiphon, Inc. neither responded to our communication of our findings nor updated their policies.


TunnelBear VPN & WiFi Proxy

App Details

Developer: TunnelBear, LLC

Privacy Policy:

https://www.tunnelbear.com/privacy-policy

Verdict: Compliant

The TunnelBear privacy policy does not contain any elements that would cause compliance issues with Apple’s new guidelines. There are no broader issues with this service’s policies or corporate transparency that we have found.


#VPN

App Details

Developer: Apalon Apps

Privacy Policy:

Verdict: Non-compliant

#VPN appears to contravene Guideline 5.4 through its sharing of location data with third parties for advertising.

When we collect your precise geolocation data (subject to your consent) (which may be via the device’s cellular, Wi-Fi, Global Positioning System (GPS) networks and/or Bluetooth information), we do so to provide you with our location-related products and services, for example to provide you with forecast and weather alerts for your location, and also to facilitate, measure, or otherwise support advertising by third parties (through our apps or third parties’ apps) that may be related to your location over time.

Overall, our previous view on the #VPN privacy policy, in that it’s a well-intention but flawed, still stands.

Apalon Apps neither responded to our communication of our findings nor updated their policies.


VPN for iPhone

App Details

Developer: Brain Craft Ltd

Privacy Policy:

Verdict: Non-compliant

Brain Craft rushed through an updated privacy policy the day after we contacted them to notify them our findings.

Compare the original policy with the updated version and the difference is so stark that it’s hard to take seriously the developer’s claims that they had already changed the policy before we contacted them. The updated date on the new policy being one day later than the date of our email also suggests otherwise.

The original policy was barely 250 words and lacked any substantive detail to back up its claims of not sharing data. For this reason we deemed it non-compliant despite there being no admission of data-sharing, simply due to a lack of any explanation of how their business practices enabled them to make such a claim.

The new policy may be a big improvement on what it has replaced and as such, does now appear compliant with Guideline 5.4.

However the policy is still much shorter than best practice examples and continues to make data privacy claims that need better substantiation before we could recommend this app in good conscience.


HOTSPOT VPN: Unlimited HotSpot

App Details

Developer: HotSpot VPN Ltd

Privacy Policy:

Verdict: Non-compliant

The privacy policy for the confusingly-named HOTSPOT VPN (which has nothing to do with Hotspot Shield or AnchorFree) features the following very broad data-sharing clause that contravenes Guideline 5.4:

Hotspot VPN may disclose automatically collected and other aggregate non-Personal Information with interested third parties to assist such parties in understanding the usage, viewing, and demographic patterns for certain programs, content, services, advertisements, promotions, and/or functionality on the Service.

The developer grants itself significant leeway not just in terms of with whom it can share user data but also for what purpose. The terms “usage” and “viewing” really stand out as providing scope for logging browser activity, which is highly concerning and a clear infringement of the new rules.

This developer is another that has quietly changed its name since we exposed it as having mainland Chinese-ownership despite being registered in Hong Kong along with a shockingly poor privacy policy. Formerly known as HiMobi Tech Ltd, this name has since disappeared from the App Store listing.

The privacy policy continues to have very grave issues that should exclude it from the App Store, such as exposing users’ real IP addresses.

“As described in our Terms, however, we may not provide a virtual IP Address for every web site you may visit and third-party web sites may receive your original IP address when you are visiting those web sites.”

HOTSPOT VPN Ltd neither responded to our communication of our findings nor updated their policies.

Methodology

We identified the top 20 free VPN apps in the US locale of the Apple App Store by volume of monthly downloads, using the most recent available month’s data in Sensortower. We reviewed the privacy policy currently linked from each app’s App Store listing, identifying all elements that contradicted guideline 5.4 (VPN Apps) in Apple’s App Store Review Guidelines. We notified all VPN providers assessed as “non-compliant” of that finding.


About Us

Top10VPN.com is a leading VPN review website. We recommend the best VPN services to help protect consumers’ privacy online. We also aim to educate the general public about digital privacy and cybersecurity risks through our free online resources and research.

For more information on security and privacy issues, take a look at our newest Global Mobile VPN Report as well as our other orignal research pieces: the Free VPN Risk Index (Android), Free VPN Ownership Investigation and the UK ISP Website Block Investigation.