Researchers analyzed 281 popular free VPN applications on the Google Play Store and found significant privacy and security shortcomings. The study, conducted by teams from the University of Michigan, the University of New Mexico, and IIT Delhi using a framework called MVPNalyzer, revealed that flagged apps had over 2.4 billion downloads. Key findings included:
- Five apps transmitted configuration files unencrypted, allowing attackers to intercept and modify them.
- 29 apps allowed user traffic to leak outside the encrypted tunnel, with 24 leaking DNS traffic and six leaking full browsing traffic.
- 169 apps made no effort to disguise their traffic, making it identifiable to network operators or government censors.
- 76 apps transmitted the device's Advertising ID to advertisers, and over 80% contacted known advertising and tracking servers.
- Only one of 108 OpenVPN configurations adhered to recommended security practices; 89% used a single authentication method, and nearly 20% employed outdated encryption techniques.
- Many apps passed through Play Store checks without adequate scrutiny, with safety labels often serving as marketing tools rather than security indicators.
These findings align with previous research highlighting similar issues in popular Android VPN apps. Users are advised to be cautious when selecting VPNs, prioritizing those with recent independent security audits.