Free Mobile VPN Security Holes

Category: Privacy

Are you using a VPN (virtual private network) app on your mobile phone, with the understanding that it provides privacy and anonymity for your online activities? It may be having the opposite effect. An investigation of free mobile VPN apps reveals widespread potential privacy leaks, and even malware that can log users’ activity – the very thing a VPN is supposed to prevent. Read on to learn what problems were found and what VPN apps are free of them...

Problems With Free VPN Apps

I always try to translate technospeak into plain English, so let's start with a definition and an explanation. A VPN (Virtual Private Network) is a service that lets you access the Internet anonymously by routing your requests through a server that fetches information and relays it back to you. You tell the VPN what web page you want, the VPN fetches it, and sends it back to you. The website knows only that the VPN visited, not you. Not even your Internet service provider can see your online activity.

This investigation of free VPN apps was conducted by Metric Labs, Ltd., of London. The firm’s main business is the site, which helps users find a paid VPN service that meets their needs. Metric Labs makes commission money when a user buys VPN service, so it is not an independent source of information. But I believe their analysis is still worth heeding.

Metric’s investigation of the top 150 free VPN apps for Android found that about one in five apps contain code that may be malware, while one-quarter of the apps have user privacy bugs such as DNS leaks and location logging. There have been more than 260 million downloads of the top 150 apps worldwide.

Problems with Free VPN apps

DNS leaks were found in 38 of the 150 apps. Simon Migliano, chief security researcher for Metric, explained DNS leaks: “This security flaw occurs when a VPN fails to force DNS requests through its encrypted tunnel to its own DNS servers and instead permits the DNS requests to be made directly to the default ISP DNS servers. Even though the rest of a user’s traffic is concealed, such a leak exposes a user’s browsing history to their ISP and any third-party DNS server operator that it may use.”

If that still sounds a little geeky, let me explain further. A DNS (domain name service) request is used to translate a website name (ie: into the numeric address needed to connect you to that site. A VPN should always cloak your DNS requests, but some are failing to do that, which can reveal to outsiders what sites you are visiting. And that's a privacy fail. A VPN is supposed to hide ALL of your activity.

The 150 apps were uploaded to TotalVirus, a service that uses 60 antivirus engines to detect sketchy code. Twenty-seven of them (18%) tested positive for potential viruses or malware.

Intrusive permissions were requested by a majority of the free VPN apps. “None of these permissions is necessary for the core functions of a VPN and each has the potential for privacy abuses,” says Metric Labs’ report. The permissions most often found involved reading/writing of external storage, accessing location data, and reading a device’s state including its phone number, whether a call is in progress, and the phone number being called.

Privacy-risking Java commands and functions were found in many free VPN apps. These functions, according to Metric Labs, serve no obvious purpose in a VPN and could be exploited to invade privacy. Examples are getLastKnownLocation (found in 87 apps), java/lang/Runtime;?exec (48 apps, executes system commands), and getDeviceId (45 apps, reads device’s phone number, operating system version, and other info).

While it’s tempting to name and shame the free VPN apps that have major flaws, it seems more constructive to highlight apps that do not. Below are the some apps that had no leaks, virus/malware infections, intrusive/risky permissions, or privacy-risking Java code. You can read the full report here.

The apps on this list are not guaranteed to be 100% safe. They may be, but they may also harbor other flaws. Last November, Metric Labs revealed that more than half of the top 20 VPN services are run by secretive, Chinese-owned companies with weak or non-existent privacy policies. Several of those privacy policies explicitly stated that they DO share data with China!

Are paid VPN services any better? Metric Labs did not test the apps of any paid services, so we don’t know. But Metric’s report on free VPN apps proves that you get what you pay for.

Personally, I don't feel the need to use a VPN app on my phone. Almost all websites use HTTPS for encrypted connections, so I'm not worried about someone intercepting my emails or online banking information. The only added privacy a VPN would provide is to hide my actual IP address from the websites I visit, and I'm not concerned about that either.

A VPN service can be used to get around blocks imposed by content providers or the user's own government. Netflix and Hulu Plus, for example, do not allow connections from outside the USA. So users in other countries have used VPNs located in the USA to gain access. Users in China are forbidden from accessing many "Western" websites such as Twitter, YouTube, and Facebook. By using a VPN server, they can (sometimes) get around those blocks.

Do you use a VPN? If so, why? Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 24 Jan 2019

For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 23 January 2019

The Top Twenty
Next Article:
[SHAKEN OR STIRRED?] Blocking Phone Scams and Robocalls

Most recent comments on "Free Mobile VPN Security Holes"

Posted by:

24 Jan 2019

I use a VPN on my PC when I travel, just so I can use hotel and restaurant wifi. But, I don't use one on my phone bacause I assume (naively?) that the phone network is fairly secure. I am sure Verizon logs my location but I hope they are not sharing or using it for bad purposes.

Posted by:

Ken Mitchell
24 Jan 2019

The key, important thing to remember about "free" software is that if you did not PAY for the program, then YOU are what's being sold.

Posted by:

24 Jan 2019

I have used Betternet's free service using their proxy extension on my Chromebook to see how it performs (and for a few torrent downloads when CBS Sports screwed up my scheduled DVR recording of programming). It seems to work well although it does slow down things, but I imagine that would occur to some degree with any VPN service.

On my phone, I am using Cloudflare's DNS resolver service. While not really a VPN, it does send DNS requests to Cloudflare's DNS resolver over a secure channel and they promise to not log your DNS requests or sell that info to another party. Apparently that promise is backed up by audits by KPMG. So while the actually traffic is not necessarily encrypted, a third party looking at your connection would not know where it came from or where its going to.

I keep kicking around the idea of signing up for a paid VPN, such as Private Internet Access.

Posted by:

24 Jan 2019

I use a paid VPN (through a local server) when traveling because I don't want anyone to conclude from my internet activities that I'm not at home.

Posted by:

24 Jan 2019

If you were on wifi without a phone VPN, couldn't someone on the LAN sniff out your login information before the https connection is established with the website?

Posted by:

24 Jan 2019

The fact that Metric Labs only tested free VPN services but not the paid ones that they receive compensation for recommending, reduces the credibility of their website.

Posted by:

24 Jan 2019

While I use PIA paid subscription, I would recommend Proton VPN as one of the best free VPN services.

Posted by:

Dr. Sheldon Cooper
24 Jan 2019

I've been using F-Secure Freedome for nearly 2 years - no complaints!!!

Posted by:

24 Jan 2019

I think this report shows the dangers of free VPNs, and come on, I pay 2$/month for Surfshark so that's really affordable. Before picking a VPN I've read a lot of reviews and the one that formed my opinion was an independent audit that Surfshark went through to check their Chrome/Firefox extensions security. The results were positive with 0 leaks, it formed my trust and only then I was happy enough to buy it. I'd advise everyone reading a lot about a VPN you're planning to buy.

Posted by:

Bob Duncan
24 Jan 2019

I have never used a VPN, free or paid. I do my own maintenance and troubvleshooting when needed, do no online banking and try to keep away from suspicious emails anddon't use APS!

Posted by:

24 Jan 2019

Hi Bob.

I'm a little bit puzzled. You wrote that Metric investigated 'the top 150 free VPN apps' but the linked page has a list of 30 apps (with 22 alises between them, most of which consist of the app name plus a description). On that page I could not even find a number in the range 140 to 159 so where did you get 150 from?

Only two of your list of 7 leakless apps are mentioned in the top10vpn report, each with some suspicious characteristics:
Betternet - incomplete transparency about ownership;
VPN 360 - a 'casual and detail-light approach to privacy'.

I wonder on what grounds you (apparently) recommend these seven, if anything in addition to the absence of leaks; and whether the five seem any more trustworthy than the two investigated by Metric.

Posted by:

25 Jan 2019

I use a VPN as I live half the year in Thailand. I found that there are many US sites that I cannot visit and even state agencies are often blocked. For me a VPN is much less about security and more about being virtually in the United States. BTW, I don't do Netflix of Hulu or anything else and I only use Pandora when I'm back there. It is essential to use many sites, especially ones run by the government. One would be surprised at some others though, such as I don't know why they would block foreigners, but the do. I just downloaded Tunnelbear and like it, but also have Proton, and one called CP VPN which I will be looking at a little harder after reading this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Free Mobile VPN Security Holes (Posted: 24 Jan 2019)
Copyright © 2005 - Bob Rankin - All Rights Reserved