Free VPN Ownership & Security Investigations Update

This update to our free VPN ownership and security investigations reveals 75% of all the apps featured are still potentially unsafe. We shared this finding with Google and Apple but they failed to act.
header image
Simon Migliano

UPDATED 9 Jun 2021 to make the report more reader-friendly and consistent with current investigations.

Key Findings

  • Apple and Google are allowing numerous extremely popular but potentially unsafe free VPN apps to remain in their app stores
  • The companies have ignored formal advice regarding the apps that continue to pose a privacy risk after previously being identified in two widely-reported VPN investigations

Free VPN Ownership Update

  • Current findings: 77% of apps previously identified as potentially unsafe still pose a risk.
  • Original findings: Almost 60% of popular free VPN apps were secretly Chinese-owned while nearly 90% had serious privacy flaws.
  • Downloads: over 210 million total (Google); 3.8 million per month (Apple)

Free VPN Risk Index Update

  • Current findings: 74% of apps previously identified as potentially unsafe still pose a risk
  • Original findings: 85% of 150 Android apps tested had unsafe permissions or functions. 25% exposed users via DNS, WebRTC or IP leaks.
  • Downloads: 518 million installs from Play store – up from 260 million in six months.

Introduction

Demand for free VPN services is accelerating at breakneck pace, driven by increasingly-frequent internet shutdowns and surveillance around the world.

Incredibly, the same number of free VPNs have been downloaded (from official sources) since the start of 2019 as had been downloaded in total up to that point, our research shows.

We published two free VPN investigations in late 2018/early 2019 to investigate this growing phenomenon.

Our reports shared highly disturbing discoveries about both the nature of the companies profiting from this surge in demand and the quality of the service they are providing.

Several months after these reports were published, neither Google nor Apple had acknowledged the widely-reported findings.

In the hope of prompting them into action, we emailed the two companies detailed updates on our findings. This advice showed them exactly which apps from each investigation in their respective app stores still posed a risk to consumers and formally requested action to reduce that risk.

We advised them that:

  • 77% of apps flagged as potentially unsafe in our Free VPN Ownership report still pose a risk
  • 90% of apps identified as potentially unsafe in our Free VPN Risk Index still pose a risk

We wanted to make it as easy as possible for Apple and Google to fix the problem, so our written notices included:

  • Detailed lists of the potentially unsafe apps
  • Links to the relevant parts of our research
  • Links to the relevant listings on the app stores
  • Recommendations of what steps to take to improve the situation
  • An offer to share our knowledge of VPN reviews to help set appropriate minimum standards

Google and Apple simply ignored our warnings.

This report makes public the current situation with free VPN apps in the App Store and Play.

Our goal is two-fold:

  1. to help the public avoid risking their privacy
  2. to put more pressure on Apple and Google to act.

The main body of this report has four chapters as follows:

  1. Ownership Investigation: summary of updated and original findings. Jump to chapter.
  2. Ownership Investigation: current status of individual apps. Jump to chapter.
  3. Risk Index: summary of updated and original findings. Jump to chapter.
  4. Risk Index: current status of individual apps. Jump to chapter.

See all our research into the safety of free VPN services.

Free VPN Ownership Findings Summary

Our Free VPN Ownership study, published in late 2018, investigated the companies behind the most popular free VPN apps in Apple’s App Store and Google Play.

We examined the 30 apps making up the top 20 search results for “VPN” across the two app stores.

We dug deep into the ownership of the companies operating these services, assessed their privacy policies and tested their customer support.

Our key findings made for discomforting reading:

  • 59% of apps had hidden Chinese ownership, despite the strict VPN ban in China and that nation’s notoriety for censorship and internet restrictions
  • 86% of apps had privacy policy flaws, including
    • no policy at all
    • generic policies with no mention of VPN
    • no detailed logging policy
    • data sharing with third parties
  • 64% of apps had no dedicated website, making it difficult to find corporate information about the service provider

In our review of those findings, we looked at whether flagged apps are still available to download and whether they had updated their policies or increased their transparency.

The results of that review are:

  • 77% of apps flagged as potentially unsafe when the study was first published continue to pose a privacy risk and yet remain available for download
  • The potentially unsafe apps represent 67% of all those originally investigated
  • The affected apps have continued to increase in popularity since we published our findings
    • Google Play downloads of apps we flagged as potentially unsafe have soared to 214 million in total, rocketing by 85% in six months
    • Monthly installs from the App Store held steady at around 3.8 million, which represents a relative increase as this total was generated by 20% fewer apps than at the start of the year as a number of apps are no longer available

Why does this matter?

China is inarguably the enemy of internet freedom. Long notorious for maintaining its Great Firewall domestically, it is now exporting its concept of digital sovereignty that is founded on a highly-censored and surveilled internet.

VPN use is now strictly banned in China, so it’s highly unlikely that Chinese-run services are operating without the tacit approval of the Chinese government. And that, in turn, begs the question of “what’s in it for China?”

The answer is simple: potential access to the massive amounts of browsing data flowing through VPN networks.

VPN services give China the potential for access to huge amounts of foreign intelligence

Just as the harsh glare of suspicion is falling on Huawei’s ties with the Chinese state, similar scrutiny should be applied to VPN services.

It’s unacceptable that Google and Apple are keeping their heads buried in the sand rather than weeding out any VPN operators that don’t meet strict standards for integrity.

Ownership Apps Update

The following table shows the results of our review of the 30 apps featured in our Free VPN Ownership investigation, ordered by volume of installs.

It shows current installs per platform; whether the app is still available for download; whether the app or developer name has changed since our report; and whether it still poses a potential privacy risk.

Free VPN Risk Index Findings Summary

The Free VPN Risk Index, published in February, tested the 150 most-downloaded free VPN apps in Google Play for privacy and performance issues.

To create the Index, we tested for and analyzed:

  • DNS, WebRTC and IP leaks
  • Intrusive Android app permissions
  • Risky functions in the apps’ source code
  • Viruses and malware
  • Network performance
  • Encryption

Our results cast a significant shadow over the entire free VPN app category in Google Play. Our key findings included:

  • 25% of apps tested positive for DNS leaks
  • 85% requested intrusive permissions OR contained functions with potential for privacy abuses
    • 67% requested intrusive permissions, such as location tracking or access to personal info
    • 63% featured functions with the potential for privacy abuses not expected from a VPN app
  • 18% of apps tested positive for potential viruses or malware
  • 38% of apps displayed at least one “major abnormality” in network tests

In our review of the findings, published for the first time in this report, we looked at whether flagged apps still posed a risk.

We re-ran our battery of tests that included network traffic analysis, virus and malware scans, a review of current permissions, and a scan of the code for potentially unsafe functions.

The results of that review were:

  • 74% of the 150 apps included in the Risk Index, or 111 apps in total, continue to pose a risk to consumers due to persistent security flaws
  • The natural attrition rate of apps since that time has been 13% with 20 apps no longer available
  • The proportion of apps still available to download from Google Play that are also potentially unsafe is as high as 85%, ie 111 of 130 apps
  • 54% of the original 150 apps continue to feature intrusive permissions, which is 63% of the 130 apps still in the Play store
  • 53% of the full list continues to feature potentially unsafe functions, which is 61% of those still available to download. Unsafe functions that persist in the apps’ code include:
    • Camera;->open – used to open the device’s camera
    • LocationManager;->getLastKnownLocation – used to track users’ last location
    • TelephonyManager;->getDeviceId – used to get device info like IMEI or phone number
  • Potential viruses or malware were detected in 21% of the full list, actually an increase of three percentage points since February and nearly a quarter (24%) of those still available to download from Play
  • One positive development – potentially prompted by our scrutiny of the category – is a significant drop in DNS and other leaks, such as WebRTC and IP leaks.
    • 70% of apps flagged as leaky (28 apps) plugged those leaks
    • 7% of the full 150 apps currently leak, or 8% of those still available.
  • 10% of apps made positive improvements to make themselves safer for their users, although most didn’t go far enough to lose their red flags completely
  • We discovered 10% of apps are now even riskier than before due to the introduction of unsafe permissions and functions, or where scans detected new instances of malware or viruses
  • The potentially unsafe apps in the Risk Index have absolutely skyrocketed in popularity since we first published our findings, more than doubling from 260 million for the entire Risk Index in February to 518 million for the risky apps alone – all in less than six months.

Why Does This Matter?

The explosion in demand for VPN services is attracting those looking to profiteer from the spreading incursions on internet freedom.

The apps themselves are infested with intrusive advertising while the wealth of browsing data flowing through the VPN networks is a lucrative source of revenue for those willing to sell it onto marketers.

What’s most disturbing is that this profiteering is actually the lesser of the risks our tests have uncovered.

Truly malicious actors could easily abuse their access to this data to commit identity theft and fraud. There’s also the risk posed by the disturbingly high malware detection stat.

Google is simply ignoring significant privacy risks for over a half billion users of free VPN Android apps worldwide

So what should Google do?

  1. Acknowledge VPN apps to be more sensitive than other types of app
  2. Ban the use of intrusive permissions and privacy-unfriendly functions
  3. Require devs to demonstrate that their apps neither leak nor contain malware

Until this happens however, the free VPN category on Google Play will remain a privacy and security minefield for unsuspecting users, who are often desperate to circumvent repressive censorship measures in their home countries.

Risk Index Apps Update

The following table shows the results of our review of the 150 apps featured in our Free VPN Risk Index, ordered by volume of installs.

It shows current installs and whether: the app is still available for download; suffers from DNS, WebRTC or IP leaks; features excessive intrusive permissions; contains potentially unsafe functions in its code; returns positive matches for viruses or malware in VirusTotal scans; and whether it still poses a potential privacy risk.

[1] AnchorFree provided us with a detailed explanation of the elements detected, which are used to serve targeted ads.
[2] Psiphon provided us with a detailed explanation of the elements detected. While they do have legitimate purposes, the risk of abuse remains.
[3], [4] App and developer name were both formerly FREE VPN.
[5] Developer name was formerly Eagle VPN.
[6], [7] App and developer name were formerly both OLO VPN.
[8] Developer name was formerly InstaBerry.
[9] Full app name is Super Turbo VPN Unblocker.
[10] Developer name was formerly was Infinity Software Co.
[11], [12] App name was formerly VPN Melon and its developer Free Vpn Proxy.
[13] Developer name was formerly Genius Recorder
[14] App name was formerly “Free VPN and Fast Connect – OpenVPN for Android”
[15] Developer name was formerly was DevProm
[16] App name was formerly Super VPN 2018

Methodology

Full methodologies for the original research can be viewed on their respective reports: VPN Ownership and Risk Index.

For the VPN Ownership review in this report, we reviewed each app’s store listing and re-assessed the privacy policies to determine their risk status. This information was supplied to Apple and Google.

For the Risk Index review, we re-ran the tests used in the original research. We downloaded the binaries of the apps that were still available and re-ran the VirusTotal scans for analysis. We also installed the apps on an Android device and analyzed network traffic in a controlled test environment using Wireshark to corroborate leak test results. The results were sent to Google.

The results of these recent tests can be viewed in this Risk Index update data source.

The authors of all our investigations abide by the journalists’ code of conduct.