It’s not just free VPNs, these premium services can be bad for your privacy
Not all premium VPN services protect your privacy equally, with more than half of the most popular services experiencing some form of data breach. At least three apps also shared your personal information “in a way that compromised user privacy.”
These are the most important findings new research conducted by Top10VPN based on the 30 most popular premium providers for Android devices. These include some of the best VPN apps on the market, such as NordVPN, ExpressVPN, Proton VPN, and Surfshark.
“I don’t want to overstate the risk level. For most users it’s quite low, but it does depend on your threat model,” Simon Migliano, head of research at Top10VPN, told Ny Breaking, noting Avira Phantom VPN and FastestVPN. like the paid Android VPNs should “absolutely” avoid.
Paid Android VPN app privacy fails
As mentioned, Migliano ran tests on the 30 most popular paid Android VPNs to identify potential security issues within the apps – you can check the full list of services analyzed here.
These tests focused on several areas, namely DNS and other data leaks, VPN encryption, VPN tunnel stability, risky app permissions, risky use of device hardware features, and data collection and sharing.
The most surprising result for Migliano was that half of the highest paid VPNs (15) failed to ensure SNI (Server Name Indication) encryption for all server connections the apps make. SNI is an extension of the TLS protocol that requires a client to indicate the hostname of the server it is trying to connect to during the handshake process.
While this leak may be relatively minor for most people, it’s a mistake that could get someone into trouble with their school or workplace if VPNs aren’t allowed on the network, or even get into legal trouble in e.g. Turkey or China, where VPNs are allowed. heavily regulated,” he added.
According to Migliano’s data, Surfshark, Private Internet Access (PIA), and PrivadoVPN were some of the apps that still overlooked SNI encryption.
Did you know?
A virtual private network (VPN) is security software that encrypts your Internet connection to prevent third parties from accessing your data while on the road and watching your online activity. At the same time, it also spoofs your real IP address location for maximum anonymity, allowing you to access otherwise geo-restricted content.
At least seven Android VPNs also leaked DNS requests – that is, the device’s request to a Domain Name System server to provide an IP address for a given hostname.
Again, these data breaches are not critical and only happen under very specific circumstances, so it won’t be a major problem for most users. That said, Migliano believes that “a properly configured VPN should disconnect all existing network connections to prevent this.”
This is why, if private browsing is crucial for you, he suggests avoiding the VPNs affected by this problem, namely HMA!, Private VPN, Mozilla VPN, Privado, VyprVPN, X-VPN and Avira Phantom.
FastestVPN was another big no for Migliano on this front. He said: “I could never recommend FastestVPN after it displayed my email address in clear text in the headers of a server request to a geolocation API, which is inexcusable.”
While it is much better than free VPN apps, data collection and sharing can also be an issue for some providers. Migliano found that seven of the 30 apps analyzed posed a potential privacy risk due to built-in tracking code from advertisers and data brokers. However, only two VPNs (VPN Unlimited and Hotspot Shield) were found guilty of actually sharing data in practice, while X-VPN had poor data sharing practices.
VPN encryption for paid services was generally good. But while seven apps failed to use the latest version of TLS to establish the VPN tunnel (AES-256), Avira Phantom used the outdated SSLv2 protocol which, Migliano noted, had long been considered was considered unsafe.