More than 40% of all free Android VPNs are leaking personal data

ProPrivacy report suggests that millions of Android VPN users could be leaking personal information

Highlights

ProPrivacy analyzed the top 250 free VPN apps in the Google Play Store and found that more than 40% failed to adequately protect users’ privacy. Collectively, these apps, which falsely profess to protect privacy, represent some 81.4 million downloads.

VPN technology was once viewed as a niche product, used by the fringe members of society to shield malicious activity, but this is no longer the case.

The public’s relationship with digital privacy is changing. A number of watershed moments have occurred over the years; from the Edward Snowden revelations in 2013 to the Cambridge Analytica scandal in 2019, consumers have become acutely aware that their privacy is facing unprecedented attacks.

In March 2017, the US administration and FCC completely dismantled consumer privacy protections, allowing ISPs to track customers and sell data to third parties. This proved a tipping point and saw sharp increases in VPN uptake across the US. 

The growing awareness of digital privacy has created a hugely lucrative opportunity. The combined VPN market is projected to reach in excess of US$50 billion by 2024, up from US$34 billion in 2018.

Consumer VPNs have been downloaded more than 1.25 billion times on the Google Play Store alone. Collectively, that’s more than Twitter, Snapchat, Skype and Microsoft Word.

VPNs have become big business and everyone wants a piece of the pie. As is so often the case with high growth markets, there are also opportunists willing to take advantage of burgeoning consumer demand.

Copyright Policy

Please feel free to copy excerpts, embed our infographics, and use our data for your own stories. All that we ask is that you include a link to the report. Projects like this require a huge amount of resource, time & dedication.

Investigation: How many free Android VPNs really work?

Consumer VPNs serve multiple purposes and are used by different people for different reasons. They are able to circumvent geo-restricted content and this has made them enormously popular for accessing services like Netflix, which restricts much of its content based on region.

However, as their name suggests, their core function is to protect and maintain the privacy of the individual using the service. A VPN provider must be able to meet the technical challenges involved with masking the identity of its users. From privacy-conscious citizens at one of the spectrum to dissidents, journalists and whistleblowers at the other, people rely on VPNs to work. If it fails to meet basic technical requirements, the real-world consequences can be dire.

The costs involved with building and maintaining quality VPN infrastructure as well as a software client capable of safeguarding users are significant. In order to provide a sustainable, reliable and trustworthy service, these costs are almost always passed on to users in the form of subscriptions. There are a number of trustworthy services that do provide free plans, but these are generally paired with a premium plan and restricted in the form of bandwidth or data limits.

Despite the costs involved with building a functional service, mobile marketplaces are littered with VPN services purporting to be ‘free’. In some cases, these apps are often used as a vehicle for legitimate advertising. In more sinister cases, they are honetpots, designed to harvest data to be sold on to third parties.

What we wanted to understand was if these applications worked at a technical level, so we carried out the most extensive audit of the Android VPN application market to date.

The Google Play Store is the largest mobile marketplace of its kind with some 3.16 million apps available to consumers, nearly double Apple’s App Store (1.79 million).

We identified 4,970 VPN apps in the Google Play Store (included at bottom of report); however, the Google Play Store only pulls the top 250 apps based on any given query, so it was these apps that became the focus of the investigation.

Of those, 32 were premium (paid) services and were therefore discounted from analyses. A further 14 were discounted as they were either not bona fide VPN services or could not be installed.

The remaining 204 VPNs were then installed in sandbox environments and extensively tested for a range of leaks using both IPv4 and IPv6 connections.

Test process:

  1. Download and install VPN to Android test device
  2. Connect to 4 different servers (or maximum available if fewer than 4)
  3. Run ProPrivacy Leak Test Tool for IPv4, IPv6, DNS and WebRTC
  4. Confirm results using ipleak.net
  5. Retest after 48 hours

The results were disturbing. Four in every ten VPNs tested had a leak. In total, we found 82 VPNs out of the 204 tested either did not provide an IPv4 address and could therefore not be deemed functional or were leaking data via IPv6 and/or WebRTC.

Leaking VPN apps by number of downloads

The rise of IPv6 and the impact on VPNs

The Internet Protocol (IP) is the foundation of the web. Every device is identified through its own IP address in order for internet communication to work.

The previous version of the protocol, IPv4, used a 32-bit addressing scheme, capable of supporting 4.3 billion devices. However, it became apparent more than 20 years ago that the internet was destined to grow beyond this limit and in 1998, the IETF created IPv6, which uses 128-bit addressing to support approximately 340 trillion trillion (or 2 to the 128th power) devices. 

Many ISPs, websites and services still do not support IPv6. This is why many VPN service providers have neglected to address how IPv6 connections should be handled. However, IPv6 connectivity is on the rise. Data provided by Google suggests that between 25 and 30 percent of all its traffic is now IPv6.

IPv6 adoption

Source: Google

High-quality VPN clients offer IPv6 leak protection. In most cases, this is done by disabling IPv6 at the system level to ensure IPv6 connections are simply not possible. A growing number of quality VPN providers now route IPv6 connections through the VPN interface. 

Almost all (87 percent) of the leaks were related to IPv6, suggesting that Android developers are not mitigating against the growth of IPv6. 

A further nine VPNs displayed WebRTC leaks. These services included two providers with over 5 million downloads each.

Based on average global adoption figures of the IPv6 standard, combined with the total number of monthly downloads, we estimate that as many as 39 million users have potentially leaked personal information over IPv6.

leak test

Developers releasing multiple versions of the same VPN

Another disturbing trend observed during testing was clusters of VPNs. Developers are releasing multiple instances of the same VPN under different names in order to capture as much traffic as possible. The VPNs use the same infrastructure, the same IP pools and the same client but target different search terms within the Play Store.

There were also instances of multiple developer accounts using the same VPN infrastructure and client (app). In the most extreme case, we identified 141 VPNs, across three different developer accounts, all operating on the same flawed infrastructure. Collectively, these apps had some 100,000 downloads

 

Results: Every leaking VPN on the Google Play Store

App name Developer Downloads IPv4 error IPv6 leak DNS leak?
Free VPN - A Secure,Unlimited,Fast,Free VPN Proxy Free VPN & Free Proxy 1m+ No Yes No
TapVPN Free VPN Mobbo 10m+ No Yes No
UAE FastVPN Free Unlimited Secured Super Fast VPN SuperApp Inc. 1m+ No Yes No
Free VPN And Fast Connect - Hide your ip ATH Software 500k+ No Yes No
Vpn Free Unblocker unlimited Royal Partner Company 1m+ No Yes No
Owl VPN Free - Internet Freedom, Privacy & Safety TheMainframe.Network 100k+ No Yes No
Proguard VPN, Free, Super Speed, VPN Proxy Invisible Net VPN 100k+ No Yes No
Cat VPN Free – Unlimited VPN Proxy | Fast & Secure TheMainframe.Network 100k+ No Yes No
Gulf Secure VPN Gulf Secure VPN 1m+ No Yes No
Free VPN Proxy: Secure Shield & Fast Hotspot Mega Free Apps D 500k+ No Yes No
Free & Unlimited VPN Proxy Privatix Limited 100k+ No Yes No
UK VPN Super Vpn 100k+ No Yes No
VPN Russia - get free Russian IP AltApps 500k+ No Yes No
Unblock Websites — VPN Proxy App VEEPN, Corp. 1m+ No Yes No
Invisible NET Free VPN - Fast VPN proxy Invisible Net VPN 500k+ No Yes No
USA VPN - Free VPN Proxy & Wi-Fi Security World Vpn 1m+ No Yes No
FastVPN - Free Secured Unlimited Fast Speed VPN SuperApp Inc. 1m+ No Yes No
Free VPN Proxy - Unlimited VPN, Security Free VPN SEC VPN 100k+ No No No
Fast VPN - Super Fast VPN Proxy Unblocker Super Fast Proxy VPN 500k+ No Yes No
Best VPN Proxy – Free VPN Unlimited – VPN Master Real Tool Studio 1m+ No Yes No
Pangolin VPN- Free VPN Proxy Unlimited Hotspot vpn Speed+ Lab 100k+ No No No
Star VPN Star VPN 500k+ No Yes No
Volt VPN Volt VPN 500k+ No No No
Unlimited VPN - A High Speed, Secure VPN! Fast VPN LLC 1m+ No Yes No
Free VPN : Power VPN - Unlimited VPN Hotspot PowerVPN - Free, Unlimited & Secure VPN 1m+ No Yes No
MaxVPN - Free Fast Connect & Unlimited VPN client LVVMobile 1m+ No Yes No
VPN One Click Kryptotel fz llc 5m+ No Yes No
Qatar VPN Free Worldwide VPN 100k+ No Yes No
VPN Private Masters of VPN 1m+ No Yes No
WORLD VPN - Free VPN proxy , Fast & Unlimited VPN Free Vpn 100k+ No Yes No
Best Free VPN - Delta VPN | Unlimited VPN Hotspot Intello Apps 100k+ No Yes No
Fast VPN - Super Fast VPN Proxy Unblocker Super Fast Proxy VPN 500k+ No Yes No
Secure Web VPN Secure Web 1m+ No Yes No
OpenTun VPN - 100% Unlimited Free Fast VPN Client Art Of Tunnel 500k+ No Yes No
Smart VPN - Free VPN Proxy 5Star Dev LTD 500k+ No Yes No
Try2Catch VPN MobiPlayLLC 100k+ No No No
DroidVPN - Easy Android VPN DroidVPN Inc. 10m+ No Yes No
Bot Changer VPN - Free VPN Proxy & Wi-Fi Security Bot Changer, Inc. 1m+ No Yes No
VPN Tap2free – free VPN service AltApps 100k+ No Yes No
Daily VPN Link Better World 1m+ No No No
VPN Unlimited, Unblock Websites And IP Changer Machelle Russaw 5m+ No Yes No
Free IP Changer VPN Android Unlimited & Fast Cyber VPN 100k+ No Yes No
Free Unlimited VPN - USA, Canada, Europe, Latam VPN.lat 100k+ No Yes No
Free Unlimited VPN - USA, Canada, Europe, Latam VPN.lat 100k+ No Yes No
Shot VPN Golden Dragon Ltd 1m+ No Yes No
Ace VPN Golden Dragon Ltd 500k+ No Yes No
Armada VPN Connect Anywhere 500k+ No Yes No
BBVPN Bogdan Borkovych 50k+ No Yes No
BBVPN Bogdan Borkovych 50k+ No Yes No
VPN 365 - Unlimited Free VPN & Fast Security VPN Better Proxy 5m+ No Yes No
Solo VPN - One Tap Free Proxy SoloVPN & NCleaner - Notification Cleaner 10m+ No No No
Solo VPN - One Tap Free Proxy SoloVPN & NCleaner - Notification Cleaner 10m+ No No No
Free VPN - Super Unblock Proxy Master Hotspot VPN Super VPN & Free Proxy 1m+ No Yes No
CandyLink VPN - free, no ads LionDev.io LTD 50k+ No Yes No
Goat VPN - Secure VPN & Super Fast Free VPN Proxy Goat VPN 1m+ No Yes No
VPN Ukraine - Get Ukrainian IP or unblock sites AltApps 100k+ No Yes No
Best VPN Fast, Secure & Unlimited VPN Proxy marketing66 10k+ No Yes No
VPN : Shuttle VPN, Free VPN, Unlimited Turbo VPN Shuttle VPN 100k+ No Yes No
GE VPN: Best Free Secure Vpn Proxy GeorgianDev 500k+ No Yes No
CyberGuard VPN | Fast & Secure Free VPN - Proxy Net Optimizer 100k+ No Yes No
FishVPN – Unlimited Free VPN Proxy & Security VPN Connect Anywhere 1m+ No No No
Kiwi VPN: Connection For IP Changer, Unblock Sites Fruit VPN - Better Connect 5m+ No No No
Free VPN marks duan 100k+ No Yes No
USA VPN - Get free USA IP AltApps 500k+ No Yes No
Secure VPN Proxy - Hopper VPN Hotspot Hopper VPN Official 50k+ No Yes No
Free and Unlimited VPN - Safe, Secure, Private! Gibli Mobile 1m+ Yes Yes No
Fast VPN - A Secure, Free , Unlimited Proxy Free VPN & Free Proxy 100k+ No Yes No
Halley VPN Golden Dragon Ltd 100k+ No Yes No
VPN PotatoVPN - Free VPN WiFi Proxy FASTPOTATO PTE. LTD 100k+ No Yes No
VPN Malaysia - get free Malaysian IP AltApps 10k+ No Yes No
VPN France - get free French IP AltApps 10k+ No Yes No
VPN Israel - Get free Israeli IP AltApps 10k+ No Yes No
VPN Korea - free and fast Korean VPN AltApps 100k+ No Yes No
VPN Kazakhstan - get free Kazakhstan IP AltApps 1k+ No Yes No
VPN China - get free Chinese IP AltApps 100k+ No Yes No
VPN Australia - get free Australian IP AltApps 100k+ No Yes No
VPN India - get free Indian IP AltApps 100k+ No Yes No
VPN Canada - Get free Canadian IP AltApps 50k+ No Yes No
Flex VPN - Totally Free VPN AltApps 10k+ No Yes No

Introducing the ProPrivacy Leak Test Tool

Protecting privacy by empowering VPN users 

Leak Test Tool

The problem with VPN leaks is that they are not apparent to the end-user. For all intents and purposes, a VPN app can appear to be 100% operational and the user will not be aware that they are leaking potentially sensitive data.

For some users, this may be an acceptable risk. For others, such as those living under authoritarian regimes, the impact of a non-functioning VPN can be profound.  

Our research suggests that some 39 million users worldwide have been impacted by these leaks in the Android ecosystem alone.

There are ways of testing VPNs to ensure they are properly protecting a user’s privacy, but without sufficient knowledge of the specific types of leaks and how to interpret the data, it can be difficult for the average consumer to verify the integrity of their chosen app.

To combat the growing number of leaks we’re seeing, particularly in mobile marketplaces, ProPrivacy has launched the first fully automated leak testing tool.

The web app holds the user’s hand through each step of the testing process and has fail-safes built in the minimize user error.

The results are presented in an easy-to-understand report that offers the user advice should a leak be detected.

Our hope is that, by removing some of the friction involved with testing for leaks, users will be empowered to demand more from their VPN and, in turn, providers will be incentivized to create quality products that meet the basic requirements of their customers.  

You can access the ProPrivacy Leak Test Tool on any device or platform now.

Google Play Store Database (full version)

The Google Play Store only returns a maximum of 250 results. At ProPrivacy, we are committed to the betterment of the privacy community through open data. We have included a searchable table as well as access to the raw data of each and every VPN application we were able to identify within the Google Play Store.

You can download this raw data: here. Please include a link back to this report.