Free VPN apps pose a privacy risk on both Android and iOS
Both Apple and Google are allowing numerous potentially unsafe free VPN apps to remain in their app stores, despite being aware of privacy risks according to research from Top10VPN.com.
Among the string of serious privacy issues uncovered but not acted upon is the discovery that nearly 60 percent of the most popular free VPN apps are secretly Chinese-owned.
The study examined the 30 apps making up the top 20 search results for 'VPN' across the two app stores, digging deep into their ownership, professionalism and policies. It finds 59 percent of apps have hidden Chinese ownership, despite the strict VPN ban in China.
In addition 77 percent of apps flagged as potentially unsafe in a previous study published late last year continue to pose a privacy risk and yet remain available for download. The potentially unsafe apps represent 67 percent of all those originally investigated. Downloads total over 210 million in total on the Play store and 3.8 million per month on the App Store.
Simon Migliano, head of research at Top10VPN.com, tells BetaNews:
It's clear from our research that Chinese companies have quietly cornered the market for free VPN smartphone apps. The issue with that is that it’s highly unlikely that these companies, whose apps have millions of installs, are operating without the Chinese government’s knowledge or tacit approval.
The question is why on earth would China permit these VPN services to operate given their extremely hostile stance on internet freedom and privacy, which includes a very strict ban on VPNs, unless they stood to benefit in some way?
Thanks to their leverage over the owners of these services, the Chinese government could potentially have access to the huge volumes of internet browsing data flowing through these VPN networks. This data is valuable for what it reveals about China's global rivals.
This would also certainly fit the broader pattern of covert intelligence gathering via consumer communications that China is suspected of, such as through the activities of Huawei and the infiltration of the US telecoms network, for example.
The lack of appropriate privacy policies for these VPN apps, or indeed policies that openly state data may be transferred to the Chinese mainland, don’t give users of these VPN services much reassurance that their data is safe. Nor does the lack of transparency about who operates these services or their connections to China.
Apple and Google need to grasp the nettle and tackle this problem head-on. If a VPN is operated by a Chinese company, they need to do proper due diligence on their fitness to operate such a sensitive service. Requiring proper logging and data retention policies that have been audited by third parties would also go a long way toward weeding out rogue -- or compromised -- operators.
In June Apple updated the rules that all iOS apps are required to follow in order to be allowed onto the App Store. As part of this, Apple explicitly acknowledged for the first time that VPN apps require stricter regulation than other apps and banned them from sharing any data with third parties.
However Top10VPN's analysis of the privacy policies of the 20 most-downloaded free VPN apps in shows at least 80 percent of those apps, with six million monthly downloads between them, appear to be in breach of the new rules but still remain available to download from the App Store.
Top10VPN.com has also updated its Free VPN Risk Index of the 150 most-downloaded free VPN apps in Google Play. It finds 74 percent of the 150 apps included in the index when it was first published continue to pose a risk to anyone using them. 54 percent of apps continue to have intrusive permissions while 53 percent have potentially unsafe functions hidden in their code. 21 percent of apps in the index tested positive for viruses or malware.
Since the first publication of the Risk Index in February, 70 percent of apps exposing user privacy due to DNS, WebRTC or IP leaks have plugged the leaks, still leaving seven percent with this security flaw.
You can find more details of the investigation on the Top10VPN.com site.