Nearly 90% of the free VPN services on the Play Store leak your data, over two-thirds share your sensitive information with third parties, and more than half include at least one potential privacy risk in their code.
These are the shocking findings revealed by a new one Top10VPN survey. Head of Research Simon Migliano spent over two months analyzing the top 100 most popular free Android VPN apps. He tested encryption protocols, VPN tunnel stability, app permissions, third-party tracking, and the most common types of data breaches, among other things.
The best VPN services can spoof a person’s IP address and encrypt internet connections to hide online activity. These results are extremely concerning considering that the VPN apps tested collectively account for 2.5 billion installs worldwide, reportedly failing to deliver on promises to increase their users’ online privacy.
A deteriorating market
“The free VPN market is flooded with poor quality apps whose only justification for their existence is to generate ad revenue for their developers,” Migliano told me. “This was the case when I first started researching free Android VPNs six years ago, and it’s only gotten worse since then.”
For starters, reliable encryption (which should be at the heart of virtual private network software) is especially lacking among the most downloaded free software, according to Migiano’s testing. He discovered several flaws, ranging from total exposure to Internet activity to leaking details of websites visited.
Unlike secure VPN providers, these apps are also said to use weak and outdated encryption protocols. For example, four providers still use the 30-year-old SSLv2 to establish a VPN tunnel instead of the stronger IKEv2/IPsec. While encrypting at least 35 traffic with a 128-bit encryption instead of the industry standard 256-bit encryption.
In terms of protection against data breaches, the free providers analyzed were particularly poor. “I was most surprised by the number of VPNs that leaked,” says Migiano. “Almost 90% have leaked your data in some way. That is completely unacceptable.”
These data breaches include original IP address data, DNS requests, and WebRTC. SuperVPN was one of the affected apps. The provider made headlines a year ago for leaking more than 360 million user data records online.
In addition to unreliable and unsafe infrastructure, these free services also facilitate user tracking and data sharing, further compromising the privacy of their users.
As the chart above shows, many of these apps ask for invasive user permissions that conflict with what a VPN is supposed to do: protect your data. Specifically, 69 out of 100 apps request at least one of these risky permissions. These include location tracking (20), access to sensitive data (9), devices searching for installed apps (46), camera use (10) and ad tracking (82).
The latter in particular not only undermines the purpose of using a VPN (to prevent online tracking), but also negatively impacts the overall experience.
“The user experience of these apps is absolutely shocking. The amount of advertising borders on offensive with long video ads that are unskippable before you can even connect to a VPN server with the app,” Migliano told me. “The apps are full of shady patterns around signing up for overpriced paid subscriptions and tricking you into clicking on ads instead of closing them. The VPN connections themselves are slow and highly unreliable.”
The most concerning finding here is that more than half of providers (54) allow this type of invasive tracking directly from their own code. This means that VPN developers have voluntarily decided to do this.
According to the study, BeePass, Urban VPN, Leaf VPN and Hide My IP were the only apps without any privacy-threatening code detected.
In this spreadsheet you will find the complete list of tested VPNs and the security risks discovered here.
How to avoid unsafe VPNs
This in-depth analysis follows a long series of incidents that demonstrate the risks of using an unsecured VPN service to protect online data. This is especially troubling as internet shutdowns are on the rise and people on very limited budgets are in dire need of security and circumvention tools.
That’s why Migliano recommended sign up for freemium VPN apps. As he explained, these providers don’t have to rely on advertising to keep the service running.
“There’s often a trade-off with data caps or limited servers, but that’s a better compromise from a privacy perspective than using an ad-supported service that collects your data and potentially exposes your internet activity,” he added.
At Ny Breaking, our experts regularly review VPN apps, so I suggest you check out our updated free VPN rankings. Our number 1 at the time of writing, PrivadoVPN, offers 10 GB of full-speed data every month, followed by unlimited usage via a single 1 Mbps location. Our number 2 pick, Proton VPN Free, has no data cap, but offers fewer locations.
There are some too premium VPNs that offer free plans for journalists, activists, NGOs and other people at high risk of surveillance and censorship, including Proton VPN, Surfshark and IPVanish. I suggest contacting these companies if you think you are at risk.
I also suggest make the best of it Free VPN Trials. While Surfshark offers a seven-day free trial for Android users, other providers offer a 30-day money-back guarantee. This means that you have to invest the subscription fee to try out the product.
We test and assess VPN services in the context of legal recreational use. For example:
1. Accessing a service from another country (subject to the terms and conditions of that service).
2. Protect your online security and strengthen your online privacy abroad.
We do not support or tolerate the illegal or malicious use of VPN services. Consuming pirated, paid for content is not endorsed or condoned by Future Publishing.