Many free VPN apps on Android found to be unsafe, dubious

Are you using a free VPN on Android? You might just be better off without it, according to a new report.

VPNs are supposed to protect our privacy by encrypting our communications and routing them through a trusted third party.

However, a researcher says many of those offered for free do not necessarily work as advertised, or worse, do things that run counter to protecting users' privacy.

And these apps have been installed over 2.5 billion times globally.

Problems found

In a lengthy new report, key failures identified include:

1. Encryption failures, weak encryption

More than 1 in 10 free VPN Android apps suffered encryption failures, revealing details of websites to total exposure of Internet activity. Over a third utilised less-than-optimal encryption techniques.

2. VPNs that leak information

90% of free VPN Android apps leaked data they were not supposed to protect. 17 VPNs leaked more than DNS request data. Note: DNS data reveals the URL of websites visited, though not what is communicated.

3. Third-party tracking, data collection

More troubling is how many of the apps contained code used for third-party tracking: Think in terms of SDKs from Facebook and large adtech firms. More than a few asked to access cameras and location-tracking hardware.

Who's paying?

To be clear, the tested VPN services are offered for free. As with all things, if you are not paying, then perhaps your privacy is the product.

Of course, I'll also point out that a good VPN provider today might be acquired by a less scrupulous provider tomorrow - who can then push out new (bad) code via an update.

I'll also end off by noting that the author of the report, Simon Migliano, has a background in journalism and content, not cybersecurity.

Still, it isn't rocket science to inspect Android apps and sniff outgoing traffic. Do check out the full report here.

Do you use a VPN? How confident are you that your VPN provider is above board and works well?