NEWS

Beware Cowboy Mobile VPN Apps

A new paper (.pdf) highlights the dangers of many free mobile VPN apps. Researchers studied 283 free Android VPN apps available through the Google Play Store. Many of these are very popular, and have been rated highly by their users. Alarmingly:

  • 75% of the apps tested use third-party tracking libraries.
  • 82% unnecessarily request permissions to access sensitive data. This includes user accounts and text messages.
  • 38% contain some form of malware (adware 43%, trojan 29%, malvertising 17%, riskware 6% and spyware 5%).
  • 18% do not even encrypt users’ data.
  • 18% provide no information on who is hosting the VPN servers.
  • 16% forward traffic through other users’ network bandwidth (à la Hola).
  • 84% expose the user’s real IP address via IPv6 DNS leaks.
  • 16% deploy non-transparent proxies that modify users’ HTTP traffic. This includes injecting JavaScript code for advertising and tracking purposes.
  • Four of the analysed apps perform TLS interception. Although three of these claim this is in order to perform traffic acceleration, this allows them to selectively intercept data sent to secure HTTPS such as banks, email services, e-commerce sites, and online tax return websites.

These figures are frankly shocking. All the more so because people use these apps in the belief that they will improve their online privacy and security!

Beware Cowboy Mobile VPN apps - Android VPN apps intrusive

DNS Resolvers

The researchers also found that,

Notably, 55% of the free apps (and 60% of premium apps) redirect user’s DNS queries to Google DNS whereas 7% of free and 10% of premium VPN apps forward DNS traffic to their own DNS resolvers.

It is not clear, however, whether DNS requests sent to Google or other third party DNS resolvers are proxied by the VPN providers. If so, the issue is not as problematic as it may first appear, as the identity of the person making the DNS request will be hidden from Google et al.

Of course, if the DNS requests are not being proxied, and are instead going direct to Google and the like, this is terrible news for privacy.

VPN Apps Are a Burgeoning Market, Ripe for Exploitation

Governments across the world are stepping up warrantless, blanket surveillance of their populations. Online companies scan our emails and track us as we surf the web in order to target ever more personalized ads at our browser windows. Copyright trolls track downloaders in order to threaten them into paying damage reparations.

Internet users are becoming increasingly aware of all this and, quite understandably, don’t like it. This has fuelled a huge rise of interest in VPN technology.

In theory, this is great, as VPNs (and VPN apps) can indeed help to counter these problems. However, this surge of interest in VPNs has also led to an increase in cowboy outfits keen to exploit this new trend.

Most Android Users Pick Apps Based on Two Factors

The first is the popularity of apps and the star rating given to them by other users on the Play Store. These indicators simply cannot be trusted, however, because the people downloading the apps and leaving reviews do not have the technical competence to assess the privacy and security implications of using these apps.

This explains why, despite the paper’s damning findings when analyzing these apps, 37% of them have more than 500,000 installs, and 25% of them receive at least a four-star rating from users!

VPN apps complaints

Here we can clearly see that app reviewers on the Play Store are much more concerned about bugs and battery life than with privacy and security issues.

The second criteria is price, and most people’s favorite price by far is FREE! That’s all well and good, but running a VPN service is a costly and time consuming business. So no-one, and I mean no-one, is going to do it for free.

If you are not paying for a service in hard currency then it is making money from you in some other way.  “There ain’t no such thing as a free lunch,” and, “if you aren’t paying for a product then you are the product” are both appropriate adages here.

So How Can I Stay Safe?

As long as you understand their limitations, VPN apps are still a great way to improve your privacy and security when using an Android device. The important thing is to choose a good app from a reputable VPN provider. This is admittedly easier said than done. The following advice should help, however.

1. Avoid free VPN apps. As discussed above, if you are not paying for the product then you are the product. Reputable commercial VPN services can be had for under $5 per month.

2. If you really must use a free VPN app, understand how the service finances itself. Reputable free VPN services do exist, but these are invariably very restricted. They are offered in the hope of enticing you to pay for an unrestricted premium service. This might be annoying, but it is, at least, transparent. Please see our list of recommended free services.

3. Check out provider reviews on BestVPN.com (of course!). If a provider is, in general, well regarded, then its app is likely to be secure.

Android VPN apps viruses
4. Avoid the myriad otherwise unheard-of, app-only, VPN services out there. They are most probably cowboys.

5. Use the OpenVPN for Android app by Arne Schwabe instead of custom VPN apps. This open source VPN client is officially recommend by the OpenVPN project. It is very secure and includes IPV4, IPv6, and WebRTC leak protection. It can even be configured to act as a kill switch.

The app uses regular OpenVPN configuration files, and so can be used with any regular commercial VPN service that offers OpenVPN. Note that although the app is free to download, you will need to sign up for a VPN service in order to use it (unless you run your own VPN server).

You will still need to trust your VPN provider, of course, but at least this way you can be 100% sure that the app you are using is secure.

Mobile VPN Apps: Conclusion

The researchers focused exclusively on Android apps, and free ones at that (although some offered in-app purchases for premium products). There some aspects about the way Android works that make it very easy to create rogue Android apps, but many of the problems discovered will almost certainly exist in iOS apps as well.

The best way to avoid VPN apps that compromise, rather than enhance, your online privacy and security is to do some research, and only use apps from reputable, paid-for VPN providers. As the old Roman saying goes, caveat emptor – it is the buyer’s responsibility to check the quality and suitability of a product before buying it. This applies even more when the cost is not obvious.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

Related Coverage

More

12 responses to “Beware Cowboy Mobile VPN Apps

  1. Hi, iam a first time user and need a safe VPN system which I can work on my android phone using 4g mobile data.

    I also seek to make calls from the country’s server I have chosen. For eg. if I choose the UK server I should be able to make calls and whatsapp from a UK number. Is that doable ?

    Please help as iam new to this VPN concept and do not wish to waste money by choosing the wrong app. Please suggest an app which will be suitable. I would be grateful indeed.

    Thank you in advance.

  2. I have been trying to find a vpn for my home computer. I don’t trust the online reviews. Can you recommend one or at least a list of honest reviewed vpn’s. Thanks

  3. What’s weird for a VPN is to use google dns resolvers, even behind a proxy or whatever.

    Google blocks lots of domains, some sites are not listed! Which criteria?
    Censorship, nothing else!

    But it does not seems to surprise anyone…

    1. Hi moureau.me,

      To be honest, I don’t really see the problem with using Google DNS if the DNS requests are proxied by the VPN provider. Google will simply see that the requests come from the VPN provider. If you feel that I am missing something important here, I am happy to discuss the issue.

  4. Hi. I use Cyberghost VPN, on my PC and Android, but I have a paid plan for it. But after reading your article I became concerned with my privacy. Can you recommend if I should change my paid VPN service from Cyberghost to another one? Thanks.

  5. I am very surprised to see CyberGhost VPN in the list of abusive/malicious apps. I have used CyberGhost for years without a problem, both free and paid subscriptions. CyberGhost has their own DNS servers, they don’t leak IP via IPv6 and seem very committed to privacy according to their privacy policy and ‘mission statement’. I will have to investigate this claim further.

    1. Hi Mike,

      If you find out anything interesting, please do get back to us! It might be worth noting that this is not the first time CyberGhost has been pulled up for dubious practices.

    1. Hi Chris,

      The green boxes are just hyperlink indicators to references in the report .pdf. If you are interested in checking them out, you can download the report.

Leave a Reply

Your email address will not be published. Required fields are marked *