Skip to content
feed: live
>_ 0dayNews
mobile
Analysis

281 free Android VPNs, and a familiar audit outcome

A new study of 281 popular free Android VPN apps found traffic leaks, missing encryption, and tracking. The category has kept failing this test for years.

281 free Android VPNs, and a familiar audit outcome
Image: 0dayNews / 0dayNews Editorial · All rights reserved
kilobaud Dave "Kilobaud" Ferris · Published · 4 min read

A study of 281 of the most popular free VPN apps on Google Play ran the entire cohort through an automated test harness and found the category is still failing at the thing users install a VPN to do. The specific number in the summary reporting: 29 of the 281 apps let user traffic leak outside the tunnel, and the group of apps flagged with at least one problem accounts for a combined install base above 2.4 billion downloads. The problems the study catalogues — DNS leakage, missing or downgraded transport encryption, and third-party tracking libraries running alongside the tunnel — are not sophisticated. They are the ones a first audit would catch.

Analysis, not incident reporting. No specific vendor has been named in the coverage available at time of writing, and none of the flagged apps has yet been paired with a CVE or a coordinated advisory. What follows is commentary on the pattern the study fits into, not a technical review of the researchers’ methodology.

The category has been audited before

Free consumer VPN apps for Android and iOS have been audited by academics, by journalists, and by independent researchers for over a decade now, and the reports come out with a consistency the vendors themselves would envy. A widely-cited IMC 2016 paper on Android VPN permission-enabled apps examined a comparable-sized sample and reported that a substantial share of them injected tracking code into user traffic, ran without effective transport encryption, or bundled outright malware. Independent ownership audits published in the years since have repeatedly found that many of the most-installed free VPN apps on both stores trace back to a small handful of opaque shell companies with no published security-response process. The Hola VPN affair in 2015 — a free VPN that quietly turned its user base into an exit-node marketplace — was covered by every serious outlet in the field at the time, and produced roughly no lasting change in the category.

The current study is the same finding in a fresh sample. The delta on user behavior, ten years and several audits later, appears to be within measurement error.

Why the pattern persists

The uncharitable read is that the Play Store’s review pipeline does not enforce, and cannot practically enforce, what “VPN” is supposed to mean to a consumer downloading one. An app that requests the BIND_VPN_SERVICE permission agrees, by policy, to a set of documentation obligations and prohibited behaviors. The review process cannot verify at runtime that the tunnel actually encrypts, that DNS resolves through it, or that no third-party SDK is siphoning off destination hostnames for advertising joins. The listing gets the “VPN” badge because the developer declared the permission, not because the app earned the trust the badge signals to the person installing it.

The charitable read is that a free consumer app is a business built on a specific unit economy, and the parts of that economy that pay the rent are the ones the audits keep flagging: telemetry sold to data brokers, advertising joins, and the ability to inject content into user sessions. A vendor whose funding depends on those revenue streams has a straightforward incentive not to close the leaks. The category selects for it. An app that closed all of them would need to charge for the tunnel, and would then be a paid app competing against ProtonVPN and Mullvad on their own terms — a market the free-VPN entrants are conspicuously not in.

Both reads are compatible with the category’s continued failure to move on audit findings, and neither is particularly satisfying to the reader who installed one of the flagged apps to use hotel Wi-Fi.

What a reader is supposed to do with this

The useful reframing is that a free Android VPN, as a category, is not an anonymity tool or a privacy tool. It is a proxy with a lot of telemetry attached, and one that in a nontrivial percentage of cases does not encrypt the tunnel to the standard a reader assumes it does. That reframing does not require memorizing which of the 281 apps in the current study passed and which failed. It requires treating the category the way sysadmins have treated it for years — as suitable, at most, for defeating a geographic content restriction on a streaming service, and unsuitable for any threat model in which the operator of the VPN is not fully trusted.

For readers whose threat model does depend on the operator, the short list of alternatives has been short and stable for years. A paid VPN from an outfit with a published no-log audit and a defensible legal jurisdiction, or WireGuard to a VPS the reader controls, are the two categories that survive the same tests the free-app category keeps failing. The extra fifty or sixty dollars a year is the price of not being the product.

The pattern the study belongs to

Every consumer category that promises security as a marketing property, without an incentive structure that rewards actually delivering it, ends up looking like this one. The audits arrive on a cycle, the finding is roughly the same each time, and the reader who does the work of moving is not the reader who trusts the badge. The category persists because the badge continues to sell, not because the promise it implies has been re-earned since the last audit.

Read the study when it publishes in full. Uninstall the app whose entropy source, tunnel implementation, and revenue model are not names the reader can hold in their head at the same time. Do not treat the “VPN” label on a Play Store listing as a claim about the product’s behavior.

Sourcing

Found this useful? Share it.