More than 25 percent of the 150 most popular free VPNs in the Google Play Store do not adequately protect users’ privacy, and up to 85 percent of them open users up to various security vulnerabilities, according to a new study published by VPN reviews and advocacy site Top10VPN.com. The findings have been published in an exhaustive risk index that details each free VPN’s real-world performance as well as behaviour, including the permissions they ask for and whether they potentially contain malware. The 150 free VPNs tested have been ranked on the basis of their total install base as reported on the Google Play Store.
The biggest problem identified is DNS leakage, which means that while network traffic such as the contents of Web pages and messages might be encrypted, the VPNs allowed DNS requests to be passed through a device’s default configured DNS servers. This would allow a network operator such as an ISP to track the user’s online activity, potentially defeating the purpose of the VPN itself.
Beyond that, 66 percent of the apps tested (99 in total) asked for unnecessary permissions that are classified as “dangerous” in official Android developer documentation. 25 percent of apps (38) asked to track location, while 38 percent (57) requested access to personal information on the Android device and a smaller unspecified number wanted to use the device’s cameras and microphone or send text messages.
In total, 63 percent of the apps (95) were tagged in the report as featuring functions with the potential for privacy abuse. 18 percent (27) of the apps were flagged for potential viruses or malware when scanned.
The risk index does point out that simply asking for permissions does not mean that an app is malicious, but it is not very conducive to earning user trust. It could be a sign of sloppy practices on the part of the programmers, or it could be in order to help target the advertising that keeps these apps free. The risk index states that none of today’s top paid VPN services require such permissions or contain such functions.
Several of the apps could not be fully tested for network security. 14 percent used DNS servers that have been blacklisted and 62 percent led users to blocked TCP ports, causing errors that prevented websites from loading. All of the apps that could be tested did successfully create encrypted VPN tunnels, but several of them did allow DNS leaks without any indication to the user, and two of the apps even leaked the test device’s actual IP address, completely defeating the purpose of a VPN.
The top 10 free VPN apps by install base are HotSpotShield Free, SuperVPN, Hi VPN, HotSpotShield Basic, Psiphon Pro, Turbo VPN, VPN Master, Snap VPN, Hola, and Speed VPN, with between 10 million and 50 million users each. None were flagged for malware, but all were flagged for at least one of the core issues: risky permissions, risky functions, or DNS leakage.
Some of the VPN providers responded to Top10VPN.com’s findings, and this has been factored into the risk index’s findings and expressions of confidence written for each app. The exhaustive report with individual problem reports for each free app can be found here. Users who are concerned about privacy and security are advised that free VPNs might not be a viable option at all.