Security Analysis of 100 Free VPN Apps for Android

By Ava McKinneyOnline Safety

Security Analysis of 100 Free VPN Apps for Android

The publication Top10VPN, which specializes in reviewing and testing VPN services, conducted an analysis of the 100 most popular free VPN apps for Android. These apps collectively have over 2.5 billion installs (the selection was based on the highest download counts in the Google Play catalog). Here are the main findings:

  • 88 out of the tested apps had issues that could lead to information leaks.
  • 83 apps leaked data due to using third-party DNS servers (not the VPN provider’s servers). For example, Google DNS was used in 40 cases, and Cloudflare in 14.
  • 79 apps did not prevent traffic from bypassing the VPN tunnel.
  • 17 apps had multiple types of leaks at once (such as exposing the user’s original IPv4 and IPv6 addresses, DNS leaks, and WebRTC leaks).
  • 11 apps used outdated pseudorandom number generators.
  • One app did not use any traffic encryption at all.
  • 35 apps used outdated cryptographic algorithms (only 20 apps used reliable hashing methods).
  • 23 apps allowed the use of old TLS versions (older than TLSv3) when establishing a VPN tunnel, and 6 apps used SSLv2.

Excessive Permissions and Third-Party Components

  • 69 apps requested excessive permissions. For example:
    • 20 apps requested access to location data (ACCESS_*_LOCATION).
    • 46 apps requested access to the list of installed apps (QUERY_ALL_PACKAGES).
    • 9 apps requested access to phone state (READ_PHONE_STATE), which can reveal IMEI and IMSI.
    • 82 apps requested unique identifiers for ad networks (ACCESS_ADVERTISEMENTS_ID).
    • 10 apps tried to access the camera.
  • 53 apps used third-party proprietary functions, such as:
    • 13 apps included code for location tracking.
    • 31 apps collected identifiers for ad networks.
    • 22 apps checked for other installed apps.
  • 80 apps used third-party libraries, including 15 with Bytedance (TikTok) libraries and 11 with Yandex libraries.
  • 84 apps included SDK components from marketing platforms or social networks, with 16 apps containing 10 or more such components.

Access to Hardware and Data Sharing

  • 32 apps accessed hardware features and sensors that could compromise privacy:
    • 15 accessed the camera.
    • 7 accessed the microphone.
    • 14 accessed location mechanisms like GPS.
    • 14 accessed sensors (gyroscope, proximity sensor, etc.).
  • 71 apps sent personal data to third-party services such as Facebook (47), Yandex (13), and VK (11).
  • 37 apps shared device identifiers with third parties, 23 shared IP addresses, and 61 shared unique tracking identifiers.
  • 19 apps sent device and system telemetry to the VPN provider’s servers, while 56 sent it to third-party services like Google (39), Facebook (17), and Yandex (9).

Malware and Privacy Policy Issues

  • 19 apps were flagged for malware by VirusTotal, which uses over 70 antivirus engines.
  • 18 apps connected to domains, and 13 to IP addresses, that are blacklisted as malicious hosts or addresses.
  • 93 apps had discrepancies between their stated privacy labels and their actual practices.
  • 75 apps provided incorrect information about user data collection methods, 64 about data sharing with third parties, and 32 about their security measures.
  • Of 65 apps labeled “No Data Sharing,” only 20 actually did not share data with third parties. Of 32 apps labeled “No Data Collection,” only two met the requirements for that label.

Leave a Reply