Research: Many free VPN apps for Android do not guarantee privacy

A survey of nearly 300 VPN apps on the Google Play Store found that such apps often fail to protect identity, ask for unnecessary permissions, and contain malware. In some cases, ads are even injected into traffic with Javascript.

Of the 283 free VPN apps for Android examined, 18 percent were found to have no encryption at all, enabling a man-in-the-middle attack on an unsecured network. 16 percent of apps injected code into web traffic for various purposes, two of which were to show ads. The vast majority of apps, 84 percent, do not protect IPv6 traffic and 66 percent did so with DNS data. About half use tracking libraries to map user behavior and a third of the apps contain malware.

The research comes from the University of New South Wales in collaboration with Berkeley. The researchers emphasize that the many comments on the VPN apps in the Play Store are not necessarily all evidence of malicious intent. Also, not every shortcoming means that the safety of the user is at risk. For example, in some cases, only the anonymity of the user is not guaranteed, although that is the motivation to install a VPN app.

Android has built-in support for VPN apps, which can easily handle all network traffic thanks to a certain permission. The researchers argue that it is important that Google reconsider this system and exercise more control over VPN apps because VPN services would not always be transparent even for technically savvy users.