The Free VPN Risk Index, published in February, tested the 150 most-downloaded free VPN apps in Google Play for privacy and performance issues.
To create the Index, we tested for and analyzed:
- DNS, WebRTC and IP leaks
- Intrusive Android app permissions
- Risky functions in the VPN apps’ source code
- Viruses and malware
- Network performance
Our results cast a significant shadow over the entire free VPN app category in Google Play. Our key findings included:
- 25% of VPNs tested positive for DNS leaks
- 85% requested intrusive permissions OR contained functions with potential for privacy abuses
- 67% requested intrusive permissions, such as location tracking or access to personal info
- 63% featured functions with the potential for privacy abuses not expected from a VPN app
- 18% of VPNs tested positive for potential viruses or malware
- 38% of VPNs displayed at least one “major abnormality” in network tests
In our review of the findings, published for the first time in this report, we looked at whether flagged VPNs still posed a risk.
We re-ran our battery of tests that included network traffic analysis, virus and malware scans, a review of current permissions, and a scan of the code for potentially unsafe functions.
The results of that review were:
- 74% of the 150 VPNs included in the Risk Index, or 111 VPNs in total, continue to pose a risk to consumers due to persistent security flaws
- The natural attrition rate of apps since that time has been 13% with 20 VPNs no longer available
- The proportion of VPNs still available to download from Google Play that are also potentially unsafe is as high as 85%, ie 111 of 130 VPNs
- 54% of the original 150 VPNs continue to feature intrusive permissions, which is 63% of the 130 VPNs still in the Play store
- 53% of the full list continues to feature potentially unsafe functions, which is 61% of those still available to download. Unsafe functions that persist in the apps’ code include:
Camera;->open – used to open the device’s camera
LocationManager;->getLastKnownLocation – used to track users’ last location
TelephonyManager;->getDeviceId – used to get device info like IMEI or phone number
- Potential viruses or malware were detected in 21% of the full list, actually an increase of three percentage points since February and nearly a quarter (24%) of those VPNs still available to download from Play
- One positive development – potentially prompted by our scrutiny of the category – is a significant drop in DNS and other leaks, such as WebRTC and IP leaks.
- 70% of VPNs flagged as leaky (28 apps) plugged those leaks
- 7% of the full VPNs apps currently leak, or 8% of those still available.
- 10% of VPNs made positive improvements to make themselves safer for their users, although most didn’t go far enough to lose their red flags completely
- We discovered 10% of VPNs are now even riskier than before due to the introduction of unsafe permissions and functions, or where scans detected new instances of malware or viruses
- The potentially unsafe VPNs in the Risk Index have absolutely skyrocketed in popularity since we first published our findings, more than doubling from 260 million for the entire Risk Index in February to 518 million for the risky apps alone – all in less than six months.
Why Does This Matter?
The explosion in demand for VPN services is attracting those looking to profiteer from the spreading incursions on internet freedom.
The VPNs themselves are infested with intrusive advertising while the wealth of browsing data flowing through the VPN networks is a lucrative source of revenue for those willing to sell it onto marketers.
What’s most disturbing is that this profiteering is actually the lesser of the risks our tests have uncovered.
Truly malicious actors could easily abuse their access to this data to commit identity theft and fraud. There’s also the risk posed by the disturbingly high malware detection stat.
Google is simply ignoring significant privacy risks for over a half billion users of free VPN Android apps worldwide
So what should Google do?
- Acknowledge VPN apps to be more sensitive than other types of app
- Ban the use of intrusive permissions and privacy-unfriendly functions
- Require devs to demonstrate that their apps neither leak nor contain malware
Until this happens however, the free VPN category on Google Play will remain a privacy and security minefield for unsuspecting users, who are often desperate to circumvent repressive censorship measures in their home countries.