Study of 281 Free Android VPN Apps Finds Traffic Leaks, Unencrypted Data, and Tracking

In a recent analysis of 281 popular free VPN applications available on the Google Play Store, researchers have unveiled significant shortcomings in their ability to protect user privacy and security. The study, conducted by teams from the University of Michigan, the University of New Mexico, and IIT Delhi, utilized a novel testing framework named MVPNalyzer. This system is designed to systematically audit Android VPN apps, marking a significant advancement from previous studies focused on desktop VPN software.

The findings are concerning, particularly given that the flagged apps have collectively been downloaded over 2.4 billion times. Many of the identified issues are fundamental, undermining the very purpose for which users install VPNs—to keep their internet traffic private and secure.

The most serious flaw: tunnel hijacking

Among the most alarming discoveries were five apps that transmitted their configuration files in unencrypted form. This vulnerability allows an attacker on the same network, such as a public Wi-Fi operator, to intercept and modify the file, potentially redirecting users to malicious servers. The researchers successfully demonstrated this attack on devices under their control, prompting them to prioritize alerts to the affected providers. Two of the five responded, committing to secure their configuration file transfers via HTTPS, while the remaining three have yet to acknowledge the issue.

Leaks, and apps that hide nothing

The analysis also revealed that 29 apps allowed user traffic to leak outside the encrypted tunnel, with 24 of these leaking DNS traffic that could expose users’ browsing habits. These problematic apps account for approximately 360 million installations. Additionally, six apps were found to leak full browsing traffic, while four operated without any encryption at all. Alarmingly, 169 apps made no effort to disguise their traffic, making them easily identifiable to network operators or government censors—an especially risky situation for users in regions where VPN usage is scrutinized.

Tracking, from the apps built to stop it

Ironically, many users turn to VPNs to evade tracking, yet the study found that 76 of the apps transmitted the device’s Advertising ID to advertisers. Over 80% of the tested apps contacted known advertising and tracking servers, often sending additional information such as device model and operating system details. While these data points may seem innocuous individually, they can collectively create a unique fingerprint that identifies a specific device. Alarmingly, one app even transmitted the user’s precise GPS coordinates.

Weak setups under the hood

Further scrutiny of the OpenVPN configuration files from 108 apps revealed that only one adhered to all recommended security practices. A staggering 89% relied on a single authentication method, while nearly 20% employed outdated encryption techniques, including the vulnerable Blowfish cipher. Some configurations even disabled encryption altogether, exposing users to significant risks.

The root of these issues appears to stem from a lack of maintenance and oversight, as many of these apps pass through the Play Store’s automated checks without adequate scrutiny. Despite their presence among top search results, the safety labels and “Verified” badges offered by Google often serve more as marketing tools than genuine indicators of security.

This is not a one-off

These findings echo similar concerns raised by other research. A study conducted by the University of Toronto’s Citizen Lab and Arizona State University in August 2025 highlighted that several popular Android VPN apps were interconnected, shared hard-coded passwords, and collected location data without user consent. Additionally, a report from mobile security firm Zimperium in October 2025 revealed that some free VPN apps still included outdated versions of the OpenSSL library, vulnerable to the notorious Heartbleed bug.

What users can do

Given that the most critical flaws—such as the unencrypted configuration file fetch and weak tunnel settings—are not visible to users, it is essential to approach VPN selection with caution. Users should prioritize providers that offer recent independent security audits and be wary of free apps laden with advertisements. Claims of being “verified” or “no-logs” should be treated as starting points for further investigation rather than definitive proof of security.

The researchers have compiled a list of all flagged apps in the appendix of their study, allowing users to verify whether their chosen VPN is among those identified. Plans are underway to make the MVPNalyzer framework publicly available, enabling app stores and regulators to conduct their own assessments. As the evidence mounts, the need for vigilance in the VPN market becomes increasingly clear.

AppWizard
Study of 281 Free Android VPN Apps Finds Traffic Leaks, Unencrypted Data, and Tracking