More than 40% of all free Android VPNs are leaking personal data
ProPrivacy report suggests that millions of Android VPN users could be leaking personal information
Highlights
- 40% of all free VPNs in the Google Play Store leak personally identifiable information
- 81.4 million downloads of defective apps
- Millions of users worldwide could be at risk
- Developers creating multiple versions of defective apps
- ProPrivacy has launched a free & fully automated leak testing tool to help combat the rise in poor quality services
ProPrivacy analyzed the top 250 free VPN apps in the Google Play Store and found that more than 40% failed to adequately protect users’ privacy. Collectively, these apps, which falsely profess to protect privacy, represent some 81.4 million downloads.
VPN technology was once viewed as a niche product, used by the fringe members of society to shield malicious activity, but this is no longer the case.
The public’s relationship with digital privacy is changing. A number of watershed moments have occurred over the years; from the Edward Snowden revelations in 2013 to the Cambridge Analytica scandal in 2019, consumers have become acutely aware that their privacy is facing unprecedented attacks.
In March 2017, the US administration and FCC completely dismantled consumer privacy protections, allowing ISPs to track customers and sell data to third parties. This proved a tipping point and saw sharp increases in VPN uptake across the US.
The growing awareness of digital privacy has created a hugely lucrative opportunity. The combined VPN market is projected to reach in excess of US$50 billion by 2024, up from US$34 billion in 2018.
Consumer VPNs have been downloaded more than 1.25 billion times on the Google Play Store alone. Collectively, that’s more than Twitter, Snapchat, Skype and Microsoft Word.
VPNs have become big business, and everyone wants a piece of the pie. As is so often the case with high growth markets, there are also opportunists willing to take advantage of burgeoning consumer demand.
Investigation: How many free Android VPNs really work?
Consumer VPNs serve multiple purposes and are used by different people for different reasons. They are able to circumvent geo-restricted content, and this has made them enormously popular for accessing services like Netflix, which restricts much of its content based on region.
However, as their name suggests, their core function is to protect and maintain the privacy of the individual using the service. A VPN provider must be able to meet the technical challenges involved with masking the identity of its users. From privacy-conscious citizens at one of the spectrum to dissidents, journalists and whistleblowers at the other, people rely on VPNs to work. If it fails to meet basic technical requirements, the real-world consequences can be dire.
The costs involved with building and maintaining quality VPN infrastructure as well as a software client capable of safeguarding users are significant. In order to provide a sustainable, reliable and trustworthy service, these costs are almost always passed on to users in the form of subscriptions. There are a number of trustworthy services that do provide free plans, but these are generally paired with a premium plan and restricted in the form of bandwidth or data limits.
Despite the costs involved with building a functional service, mobile marketplaces are littered with VPN services purporting to be ‘free’. In some cases, these apps are often used as a vehicle for legitimate advertising. In more sinister cases, they are honeypots, designed to harvest data to be sold on to third parties.
What we wanted to understand was if these applications worked at a technical level, so we carried out the most extensive audit of the Android VPN application market to date.
The Google Play Store is the largest mobile marketplace of its kind, with some 3.16 million apps available to consumers, nearly double Apple’s App Store (1.79 million).
We identified 4,970 VPN apps in the Google Play Store (included at bottom of report); however, the Google Play Store only pulls the top 250 apps based on any given query, so it was these apps that became the focus of the investigation.
Of those, 32 were premium (paid) services and were therefore discounted from analyzes. A further 14 were discounted as they were either not bona fide VPN services or could not be installed.
The remaining 204 VPNs were then installed in sandbox environments and extensively tested for a range of leaks using both IPv4 and IPv6 connections.
Test process:
- Download and install VPN to Android test device
- Connect to 4 different servers (or maximum available if fewer than 4)
- Run ProPrivacy Leak Test Tool for IPv4, IPv6, DNS and WebRTC
- Confirm results using ipleak.net
- Retest after 48 hours
The results were disturbing. Four in every ten VPNs tested had a leak. In total, we found 82 VPNs out of the 204 tested either did not provide an IPv4 address and could therefore not be deemed functional or were leaking data via IPv6 and/or WebRTC.
Leaking VPN apps by number of downloads
The rise of IPv6 and the impact on VPNs
The Internet Protocol (IP) is the foundation of the web. Every device is identified through its own IP address in order for internet communication to work.
The previous version of the protocol, IPv4, used a 32-bit addressing scheme, capable of supporting 4.3 billion devices. However, it became apparent more than 20 years ago that the internet was destined to grow beyond this limit and in 1998, the IETF created IPv6, which uses 128-bit addressing to support approximately 340 trillion trillion (or 2 to the 128th power) devices.
Many ISPs, websites and services still do not support IPv6. This is why many VPN service providers have neglected to address how IPv6 connections should be handled. However, IPv6 connectivity is on the rise. Data provided by Google suggests that between 25 and 30 percent of all its traffic is now IPv6.
Source: Google
High-quality VPN clients offer IPv6 leak protection. In most cases, this is done by disabling IPv6 at the system level to ensure IPv6 connections are simply not possible. A growing number of quality VPN providers now route IPv6 connections through the VPN interface.
Almost all (87 percent) of the leaks were related to IPv6, suggesting that Android developers are not mitigating against the growth of IPv6.
A further nine VPNs displayed WebRTC leaks. These services included two providers with over 5 million downloads each.
Based on average global adoption figures of the IPv6 standard, combined with the total number of monthly downloads, we estimate that as many as 39 million users have potentially leaked personal information over IPv6.
Developers releasing multiple versions of the same VPN
Another disturbing trend observed during testing was clusters of VPNs. Developers are releasing multiple instances of the same VPN under different names in order to capture as much traffic as possible. The VPNs use the same infrastructure, the same IP pools and the same client, but target different search terms within the Play Store.
There were also instances of multiple developer accounts using the same VPN infrastructure and client (app). In the most extreme case, we identified 141 VPNs, across three different developer accounts, all operating on the same flawed infrastructure. Collectively, these apps had some 100,000 downloads.
Results: Every leaking VPN on the Google Play Store
| App name | Developer | Downloads | IPv4 error | IPv6 leak | DNS leak? |
|---|---|---|---|---|---|
| Free VPN - A Secure,Unlimited,Fast,Free VPN Proxy | Free VPN & Free Proxy | 1m+ | No | Yes | No |
| TapVPN Free VPN | Mobbo | 10m+ | No | Yes | No |
| UAE FastVPN Free Unlimited Secured Super Fast VPN | SuperApp Inc. | 1m+ | No | Yes | No |
| Free VPN And Fast Connect - Hide your ip | ATH Software | 500k+ | No | Yes | No |
| Vpn Free Unblocker unlimited | Royal Partner Company | 1m+ | No | Yes | No |
| Owl VPN Free - Internet Freedom, Privacy & Safety | TheMainframe.Network | 100k+ | No | Yes | No |
| Proguard VPN, Free, Super Speed, VPN Proxy | Invisible Net VPN | 100k+ | No | Yes | No |
| Cat VPN Free – Unlimited VPN Proxy | Fast & Secure | TheMainframe.Network | 100k+ | No | Yes | No |
| Gulf Secure VPN | Gulf Secure VPN | 1m+ | No | Yes | No |
| Free VPN Proxy: Secure Shield & Fast Hotspot | Mega Free Apps D | 500k+ | No | Yes | No |
| Free & Unlimited VPN Proxy | Privatix Limited | 100k+ | No | Yes | No |
| UK VPN | Super Vpn | 100k+ | No | Yes | No |
| VPN Russia - get free Russian IP | AltApps | 500k+ | No | Yes | No |
| Unblock Websites — VPN Proxy App | VEEPN, Corp. | 1m+ | No | Yes | No |
| Invisible NET Free VPN - Fast VPN proxy | Invisible Net VPN | 500k+ | No | Yes | No |
| USA VPN - Free VPN Proxy & Wi-Fi Security | World Vpn | 1m+ | No | Yes | No |
| FastVPN - Free Secured Unlimited Fast Speed VPN | SuperApp Inc. | 1m+ | No | Yes | No |
| Free VPN Proxy - Unlimited VPN, Security Free VPN | SEC VPN | 100k+ | No | No | No |
| Fast VPN - Super Fast VPN Proxy Unblocker | Super Fast Proxy VPN | 500k+ | No | Yes | No |
| Best VPN Proxy – Free VPN Unlimited – VPN Master | Real Tool Studio | 1m+ | No | Yes | No |
| Pangolin VPN- Free VPN Proxy Unlimited Hotspot vpn | Speed+ Lab | 100k+ | No | No | No |
| Star VPN | Star VPN | 500k+ | No | Yes | No |
| Volt VPN | Volt VPN | 500k+ | No | No | No |
| Unlimited VPN - A High Speed, Secure VPN! | Fast VPN LLC | 1m+ | No | Yes | No |
| Free VPN : Power VPN - Unlimited VPN Hotspot | PowerVPN - Free, Unlimited & Secure VPN | 1m+ | No | Yes | No |
| MaxVPN - Free Fast Connect & Unlimited VPN client | LVVMobile | 1m+ | No | Yes | No |
| VPN One Click | Kryptotel fz llc | 5m+ | No | Yes | No |
| Qatar VPN | Free Worldwide VPN | 100k+ | No | Yes | No |
| VPN Private | Masters of VPN | 1m+ | No | Yes | No |
| WORLD VPN - Free VPN proxy , Fast & Unlimited VPN | Free Vpn | 100k+ | No | Yes | No |
| Best Free VPN - Delta VPN | Unlimited VPN Hotspot | Intello Apps | 100k+ | No | Yes | No |
| Fast VPN - Super Fast VPN Proxy Unblocker | Super Fast Proxy VPN | 500k+ | No | Yes | No |
| Secure Web VPN | Secure Web | 1m+ | No | Yes | No |
| OpenTun VPN - 100% Unlimited Free Fast VPN Client | Art Of Tunnel | 500k+ | No | Yes | No |
| Smart VPN - Free VPN Proxy | 5Star Dev LTD | 500k+ | No | Yes | No |
| Try2Catch VPN | MobiPlayLLC | 100k+ | No | No | No |
| DroidVPN - Easy Android VPN | DroidVPN Inc. | 10m+ | No | Yes | No |
| Bot Changer VPN - Free VPN Proxy & Wi-Fi Security | Bot Changer, Inc. | 1m+ | No | Yes | No |
| VPN Tap2free – free VPN service | AltApps | 100k+ | No | Yes | No |
| Daily VPN | Link Better World | 1m+ | No | No | No |
| VPN Unlimited, Unblock Websites And IP Changer | Machelle Russaw | 5m+ | No | Yes | No |
| Free IP Changer VPN Android Unlimited & Fast | Cyber VPN | 100k+ | No | Yes | No |
| Free Unlimited VPN - USA, Canada, Europe, Latam | VPN.lat | 100k+ | No | Yes | No |
| Free Unlimited VPN - USA, Canada, Europe, Latam | VPN.lat | 100k+ | No | Yes | No |
| Shot VPN | Golden Dragon Ltd | 1m+ | No | Yes | No |
| Ace VPN | Golden Dragon Ltd | 500k+ | No | Yes | No |
| Armada VPN | Connect Anywhere | 500k+ | No | Yes | No |
| BBVPN | Bogdan Borkovych | 50k+ | No | Yes | No |
| BBVPN | Bogdan Borkovych | 50k+ | No | Yes | No |
| VPN 365 - Unlimited Free VPN & Fast Security VPN | Better Proxy | 5m+ | No | Yes | No |
| Solo VPN - One Tap Free Proxy | SoloVPN & NCleaner - Notification Cleaner | 10m+ | No | No | No |
| Solo VPN - One Tap Free Proxy | SoloVPN & NCleaner - Notification Cleaner | 10m+ | No | No | No |
| Free VPN - Super Unblock Proxy Master Hotspot VPN | Super VPN & Free Proxy | 1m+ | No | Yes | No |
| CandyLink VPN - free, no ads | LionDev.io LTD | 50k+ | No | Yes | No |
| Goat VPN - Secure VPN & Super Fast Free VPN Proxy | Goat VPN | 1m+ | No | Yes | No |
| VPN Ukraine - Get Ukrainian IP or unblock sites | AltApps | 100k+ | No | Yes | No |
| Best VPN Fast, Secure & Unlimited VPN Proxy | marketing66 | 10k+ | No | Yes | No |
| VPN : Shuttle VPN, Free VPN, Unlimited Turbo VPN | Shuttle VPN | 100k+ | No | Yes | No |
| GE VPN: Best Free Secure Vpn Proxy | GeorgianDev | 500k+ | No | Yes | No |
| CyberGuard VPN | Fast & Secure Free VPN - Proxy | Net Optimizer | 100k+ | No | Yes | No |
| FishVPN – Unlimited Free VPN Proxy & Security VPN | Connect Anywhere | 1m+ | No | No | No |
| Kiwi VPN: Connection For IP Changer, Unblock Sites | Fruit VPN - Better Connect | 5m+ | No | No | No |
| Free VPN | marks duan | 100k+ | No | Yes | No |
| USA VPN - Get free USA IP | AltApps | 500k+ | No | Yes | No |
| Secure VPN Proxy - Hopper VPN Hotspot | Hopper VPN Official | 50k+ | No | Yes | No |
| Free and Unlimited VPN - Safe, Secure, Private! | Gibli Mobile | 1m+ | Yes | Yes | No |
| Fast VPN - A Secure, Free , Unlimited Proxy | Free VPN & Free Proxy | 100k+ | No | Yes | No |
| Halley VPN | Golden Dragon Ltd | 100k+ | No | Yes | No |
| VPN PotatoVPN - Free VPN WiFi Proxy | FASTPOTATO PTE. LTD | 100k+ | No | Yes | No |
| VPN Malaysia - get free Malaysian IP | AltApps | 10k+ | No | Yes | No |
| VPN France - get free French IP | AltApps | 10k+ | No | Yes | No |
| VPN Israel - Get free Israeli IP | AltApps | 10k+ | No | Yes | No |
| VPN Korea - free and fast Korean VPN | AltApps | 100k+ | No | Yes | No |
| VPN Kazakhstan - get free Kazakhstan IP | AltApps | 1k+ | No | Yes | No |
| VPN China - get free Chinese IP | AltApps | 100k+ | No | Yes | No |
| VPN Australia - get free Australian IP | AltApps | 100k+ | No | Yes | No |
| VPN India - get free Indian IP | AltApps | 100k+ | No | Yes | No |
| VPN Canada - Get free Canadian IP | AltApps | 50k+ | No | Yes | No |
| Flex VPN - Totally Free VPN | AltApps | 10k+ | No | Yes | No |
Introducing the ProPrivacy Leak Test Tool
Protecting privacy by empowering VPN users
The problem with VPN leaks is that they are not apparent to the end-user. For all intents and purposes, a VPN app can appear to be 100% operational and the user will not be aware that they are leaking potentially sensitive data.
For some users, this may be an acceptable risk. For others, such as those living under authoritarian regimes, the impact of a non-functioning VPN can be profound.
Our research suggests that some 39 million users worldwide have been impacted by these leaks in the Android ecosystem alone.
There are ways of testing VPNs to ensure they are properly protecting a user’s privacy, but without sufficient knowledge of the specific types of leaks and how to interpret the data, it can be difficult for the average consumer to verify the integrity of their chosen app.
To combat the growing number of leaks we’re seeing, particularly in mobile marketplaces, ProPrivacy has launched the first fully automated leak testing tool.
The web app holds the user’s hand through each step of the testing process and has fail-safes built in the minimize user error.
The results are presented in an easy-to-understand report that offers the user advice should a leak be detected.
Our hope is that, by removing some of the friction involved with testing for leaks, users will be empowered to demand more from their VPN and, in turn, providers will be incentivized to create quality products that meet the basic requirements of their customers.
You can access the ProPrivacy Leak Test Tool on any device or platform now.
Google Play Store Database (full version)
The Google Play Store only returns a maximum of 250 results. At ProPrivacy, we are committed to the betterment of the privacy community through open data. We have included a searchable table as well as access to the raw data of each and every VPN application we were able to identify within the Google Play Store.
You can download this raw data: here. Please include a link back to this report.