Over 2.5 billion free Android VPN users at risk of data leaks
88% of free Android VPNs leak and 71% share data, according to a new research
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Almost 90% offree VPNservices in thePlay Storeleak your data, over two-thirds share your sensitive information with third parties, and more than half include at least one potential privacy risk on their code.
These are the shocking findings revealed by a newTop10VPN study. Head of Research, Simon Migliano, spent over two months analyzing the top 100 most popular freeAndroid VPNapps. He tested encryption protocols, VPN tunnel stability, app permissions, third-party tracking, and the most common types of data leaks, among other things.
Thebest VPNservices can spoof a person’s IP address and encrypt internet connections to conceal online activities. These results are then extremely worrying considering the tested VPN apps count for 2.5 billion worldwide installs between them—allegedly failing to the promises of boosting their users' online privacy.
A worsening market
“The free VPN market is flooded with poor quality apps whose only justification for their existence is to generate advertising revenue for their developers,” Migliano told me. “This was the case when I first started investigating free Android VPNs six years ago and it’s only gotten worse since.”
For starters, reliable encryption—which is supposed to be at the core ofvirtual private networksoftware—is especially lacking among the most downloaded freebies, according to Migiano’s tests. He found several failures, ranging from total exposure of internet activity to leaking details of websites visited.
Contrary tosecure VPNproviders, these apps are also reported to use weak and outdated encryption protocols. For instance, four providers still use the 30-year-old SSLv2 to establish a VPN tunnel instead of the stronger IKEv2/IPsec. While at least 35 encrypt traffic with a 128-bit rather than the industry standard 256-bit encryption.
On data leak protection, the free providers analyzed were especially bad. “I was most surprised at how many VPNs leaked,” said Migiano. “Almost 90% leaked your data in some way. That’s completely unacceptable.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
These data leakages included original IP address details, DNS requests, andWebRTC. SuperVPN was one of the apps affected. The provider already made headlines a year ago forbreaching over 360 million user datarecords online.
Besides an unreliable and insecure infrastructure, these free services also facilitate user-tracking and data-sharing, putting their users' privacy further at risk.
As the graph above shows, many of these apps request invasive user permissions that clash with what a VPN should do—protect your data. Specifically, 69 out of 100 apps request at least one of these high-risk permissions. These include location tracking (20), access to sensitive data (9), devices scanning for installed apps (46), use of camera (10), and ad tracking (82).
The latter, especially, does not just defeat the object of using a VPN—to prevent online tracking—but also negatively affects the overall experience.
“The user experience of these apps is absolutely shocking. The amount of ads borders on offensive with long, unskippable video ads before the app allows you to even connect to a VPN server,” Migliano told me. “The apps are full of dark patterns around signing up for over-priced paid subscriptions and tricking you into clicking ads instead of closing them. The VPN connections themselves are slow and very unreliable.”
The most worrying finding here is that over half of providers (54) allow these types of invasive tracking right from their proprietary code. This means that VPN developers willingly decided to do so.
According to the research, BeePass,Urban VPN, Leaf VPN and Hide My IP were the only apps with no detected privacy-risking code at all.
You can see the full list of VPNs tested and the security risk uncovered on this spreadsheethere.
How to avoid unsecure VPNs
This thorough analysis follows a long series of incidents that show the risks of using an unsecured VPN service to protect online data. This is especially troubling asinternet shutdownsare on the rise and, subsequently, people are in dire need of security and circumvention tools on a very limited budget.
That’s why Migliano recommendedsigning up for freemium VPN apps. As he explained, these providers don’t need to rely on advertising to keep the service going.
“There’s often a trade-off with data caps or limited servers, but that’s a better compromise from a privacy perspective than using an ad-supported service that harvests your data and potentially exposes your internet activity,” he added.
At TechRadar, our experts review VPN apps regularly, so I suggest checking our updatedfree VPN ranking. Our #1 at the time of writing,PrivadoVPN, offers 10 GB of data at full speed every month, followed by unlimited usage via a single 1 Mbps location. Our #2 choice,Proton VPN Free, has no cap on data, but offers fewer locations.
There are also somepremium VPNs offering free subscriptionsfor journalists, activists, NGOs, and other people at high risk of surveillance and censorship, includingProton VPN,Surfshark, andIPVanish. I suggest reaching out to these companies if you feel you’re at risk.
I also suggestmaking the most ofVPN free trials. While Surfshark offers a seven-day free trial for Android users, other providers operate on a 30-day money-back guarantee policy. This means you’ll need to invest the subscription money to be able to try out the product.
We test and review VPN services in the context of legal recreational uses. For example:1.Accessing a service from another country (subject to the terms and conditions of that service).2.Protecting your online security and strengthening your online privacy when abroad.We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up.She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com
Should your VPN always be on?
3 reasons why PIA fell in our best VPN rankings
NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)
