Internet Shutdowns & Free VPNs: Are The Most Popular Apps Safe?

Demand for VPN services surges whenever governments disrupt access to social media and other critical online services. This report tracks the VPNs that rise to popularity during these incidents and tests them for privacy and security issues.
Protestors against the military coup in Myanmar
Simon Migliano

Key Findings

    Myanmar VPNs

  • Tested: 10 most popular VPN apps in Myanmar since military coup resulted in rolling internet disruptions
  • IP address exposure: 8 apps share or log a user’s true IP address
  • Leaks 3 apps expose users’ browsing activity via DNS and/or IP leaks
  • Ad tracking: 7 apps share your unique Google Advertiser ID with third parties
  • Device information: 4 apps share detailed information about users’ devices. A further 3 apps share basic device info.
  • Nigeria VPNs

  • Tested: 5 most popular VPN apps in Nigeria since the government banned Twitter
  • IP address exposure: 4 apps share or log a user’s true IP address
  • Ad tracking: 4 apps share your unique Google Advertiser ID with third parties
  • Device information: 2 apps share detailed information about users’ devices. A further 2 apps share basic device info.

VPN Demand During Internet Shutdowns

Whenever governments around the world restrict access to social media and other online sources of information, demand for VPN services typically skyrockets as those affected scramble to circumvent the shutdown.

Internet shutdowns have cost the world over $15BN since 2018 alone and continue to be popular with regimes looking to restrict the flow of information.

A VPN, or Virtual Private Network, is a simple anti-censorship software tool. It encrypts users’ traffic and masks their IP address, hiding their identity and activity from internet censors.

Intentional internet shutdowns disproportionately affect the global south and although many VPN services are inexpensive, the resulting increase in demand naturally tends to be focused on free VPN Android apps.

Our research has previously highlighted the dangers of free VPNs and by monitoring these apps, we hope to ensure that those in need can access vital information without compromising their privacy, security, or even physical safety.

After identifying the most downloaded VPN Android apps during a particular incident, we run the following tests:

  1. Traffic analysis to determine what personal data is being logged or shared by the apps
  2. Leak testing to identify whether apps expose users’ activity via DNS or IP leaks
  3. Code analysis to determine whether any high-risk permissions have associated functionality that could impact user privacy

The results are compiled below by country. The number of VPNs tested varies according to the severity and extent of the internet shutdown.

What VPN Privacy Issues Did We Find?

We found the following types of user data being shared to third-party servers:

  • Real IP address: can be used to track down and identify individuals based on their internet activity. Sharing it with third parties is especially problematic during censorship events.
  • Google Advertising ID: this unique ID is often shared by free VPN apps with advertisers in order to track VPN users’ online activity to better target ads. As with sharing IP addresses, this takes on heightened privacy risk during internet shutdowns.
  • Device information: Details ranging from operator, make and model to current battery level and storage space remaining are shared with third parties, such as advertisers and monetizing services.

We also found DNS and IP leaks, which pose a huge risk to the safety of VPN users during a shutdown. These fundamental failings expose users’ online activity, leaving them open to persecution from the authorities imposing the restrictions.

During our code analysis we most frequently found combinations of the WRITE_EXTERNAL_STORAGE permission and third-party advertising code that creates files on VPN users’ devices to assist in tracking ad performance.

Why Does It Matter?

Internet shutdowns already trample on the digital rights of those affected. It feels especially egregious when the victims of repression are exploited and put at risk by the very services purporting to help them.

By logging or sharing any identifying information at all, VPN services put their users at risk of exposure should the authorities decide to pursue those evading censorship.

The best VPN services won’t collect or share any personal user information at all, which leaves no opportunity for authorities to attempt to seize such data to persecute dissidents.

We will be updating and adding to this page regularly as major internet shutdowns take place around the world.

See all our investigations into the dangers of free VPN services.

Myanmar

The following table shows the results of our privacy and security tests of the 10 most popular VPN apps in Myanmar since the February 2021 coup. They are ordered by popularity, which is based on the number of days spent in the top 10 most-installed VPN apps in Myanmar.

For a full list of Play Store URLs, including archived versions, see this References document.

Analysis

Internet disruptions in Myanmar since the February coup have been severe and extremely drawn-out. Burmese people turned to VPNs in huge numbers, resulting in many free VPNs enjoying surges in popularity of varying duration.

Disturbingly, given the violence in the country, just two apps did not share or log users’ IP addresses. One app, VPN Super, actually broadcasts a user’s VPN server IP address and their true IP address in the same request back to its own servers.

Super VPN logging IP addresses

Mitmproxy screengrab showing VPN Super server request containing both VPN server and true IP addresses.

Most apps shared users’ true IP addresses with Google’s various advertising services, however VPN Super also shared this sensitive data with Facebook.

Cloudflare’s 1.1.1.1 / Warp VPN service sent the user IP address to its own servers only, where the data is stored temporarily before being purged, according to its privacy policy.

Even hugely popular apps like TurboVPN and Psiphon Pro, which have over 150M installs between them worldwide, share personal data with third parties, such as app monetization services Vungle or Chartboost, and advertising platforms like Google, Unity and Freestar.

Other third parties that receive data from the VPNs we tested included marketing data service Adjust, customer messaging service OneSignal and analytics platforms Firebase and Criteo.

In terms of risky functions, our findings were largely related to the creation and storage of files on user devices as a result of third-party advertising code, as mentioned earlier in this report. However we did also find that LetsVPN included both the BLUETOOTH permission and code to listen for Bluetooth networks, which is not something we would expect or want to see in a VPN app.

Nigeria

The following table shows the results of our privacy and security tests for the five most popular VPN apps in Nigeria since the government banned Twitter in June 2021. They are ordered by popularity, which is based on the number of days spent in the top five most-installed apps in Nigeria during the ban.

We limited our analysis to five apps as the Twitter ban remains in its early days. Also the there has not been significant fluctuation in which VPN apps are most popular during this period.

For a full list of Play Store URLs, including archived versions, see this References document.

Analysis

The Nigerian government banned Twitter on 5 June 2021 and demand for VPN services immediately spiked by over 1,400%. The social media platform remains blocked and the government has threatened to prosecute anyone who uses a VPN to access it.

This threat of criminal charges makes it doubly important that Nigerians can trust their VPN service not to expose their internet activity.

Encouragingly, the most popular VPN during the shutdown has been Windscribe, which is arguably the best free VPN service available.

Unfortunately, many Nigerians are installing less private VPN apps to get around the Twitter ban and are therefore putting themselves at risk.

Three VPN apps share their users’ true IP address with third parties. Notably, one app SuperNet VPN shares this data with Bugly, an operation stats tracking service owned by Chinese mega-corporation Tencent. The other two shared user IP addresses with Google ad services.

Super VPN logging IP addresses

Mitmproxy screengrab showing SuperNet VPN server response from Bugly containing the real IP address used to connect to the service (highlighted).

Other third parties that receive data from the VPNs we tested included marketing data services Kochava and AppsFlyer, along with customer messaging service OneSignal, Google’s Android analytics platform Firebase, and Facebook.

Norton may be a well-known name in cybersecurity but our analysis revealed that its VPN app features the READ_PHONE_STATE permission to allow it to log the device’s unique IMEI code.

Methodology

The most popular VPNs during individual censorship events were identified for analysis using Sensor Tower data.

Traffic analysis of each VPN was conducted on a dedicated Android device in a sandboxed testing environment using mitmproxy. Leak testing was conducted using Wireshark. Analysis of the app code was conducted using various open source tools.

The authors of all our investigations abide by the journalists’ code of conduct.

Protesters shouting slogans and gesturing during the demonstration against military coup in Myanmar. March 7 2021. Credit: Theint Mon Soe / SOPA Images/Sipa USA.