Tested: 150 most popular free VPN Android apps on the Google Play store with over 260 million downloads between them.
25% suffer fundamental privacy failures, exposing users to ISPs through DNS leaks.
85% of apps feature permissions or functions with potential for privacy abuses
Long list of other security flaws and performance issues discovered
A quarter (25%) of the most popular free VPN (Virtual Private Network) apps on the Google Play store suffer from DNS leaks, according to the Free VPN Risk Index, the most comprehensive study of its kind, published today by VPN review service Top10VPN.com.
The study of the 150 most popular free VPN apps also identified that 85% were riddled with excessive permissions or functions within the source code which could potentially be used to spy on users. The report’s authors blamed their presence on invasive advertising practices, along with a too-often “quick and dirty” approach to free app development, especially when using third-party libraries, that fails to live up to the privacy standards expected of a VPN.
Users of these apps should be aware that they are gambling with their privacy given that DNS leaks were detected in 25% of them. This security flaw occurs when a VPN fails to force DNS requests through its encrypted tunnel to its own DNS servers and instead permits the requests to be made directly to the default ISP DNS servers.
Even though the rest of their traffic may be concealed, the leak exposes a user’s browsing history to their ISP and any third-party DNS server operator that it may use.
Free VPN app users will also draw cold comfort from the excuses provided by developers for the near-ubiquity of intrusive permissions and source code functions with privacy risks (85% of apps). Whether developers insert them maliciously or just don’t consider privacy when working with third-party libraries, consumers are put at risk either way.
None of the permissions and functions flagged in the Risk Index feature in premium VPN apps.
Researchers found the following intrusive permissions: location tracking (25% of apps); access to device status information (38%); and in smaller numbers: use of camera and microphone and the ability to secretly send SMS. Over half (57%) featured code to get a user’s last known location.
Almost one in five (18%) apps were flagged by antivirus scanners as potentially containing malware or viruses. This should certainly give users pause before installing any of these apps.
Network tests revealed that almost all (95%) apps displayed some kind of performance or security anomaly. Over a third (37%) had a “major abnormality”, which largely centred around red-flag DNS behavior, which can prevent users from accessing the internet normally. Half (50%) had at least four “minor aberrations”, such as high packet loss and latency, or blocked ports, which typically result in a glitchy and unstable internet experience.
Simon Migliano, Head of Research at Top10VPN.com, says:
“Surging consumer demand for free VPN services is being met by opportunistic Android developers, who are taking advantage of both the lack of consumer understanding of the product and minimal oversight by the Google Play store in order to cash in.
“The result is something of a Wild West scenario. We are seeing apps that have been slapped together as a vehicle for aggressive advertising using third-party libraries that aren’t necessarily appropriate for use in a privacy application.
“Given how fundamental masking a user’s true location is to the concept of a VPN, it’s disturbing to see just how many apps contain code for getting the user’s last known location. It’s also hard to believe that any developer could expect anyone to trust their VPN app when it includes permissions and commands for using the camera or accessing your contacts.
“Following on from our recent investigation that revealed the hidden Chinese ownership of some of the biggest free VPN apps, we created the Risk Index to help consumers avoid using dubious free apps that, rather than protect their privacy, put it at risk.
“My advice to anyone considering using a free VPN is to do extensive research before installing and using one. With the free apps in our study, there’s a one in four chance of unwittingly exposing your activity due to a DNS leak even as you thought yourself protected.”