After big names like Whatsapp, Snapchat, and Facebook, VPNs are the most searched-for applications in the world. “VPN” is the second-highest non-branded search term behind “games”, and free apps completely dominate the search results. The most popular applications have amassed hundreds of millions of installs between them worldwide, yet there seems to be very little attention paid to the companies behind them, and very little scrutiny done on behalf of the marketplaces hosting them.
When someone opts to install a VPN on their device, they are essentially choosing to trust their data with that company instead of their ISP or wireless carrier. The VPN provider can inspect your traffic, modify it, log it, and if their policy permits, send or sell it elsewhere. Given the potential for this data to be abused, it’s critical that consumers choose their VPN provider wisely.
We investigated the top free VPN apps in the App Store and Google Play Store. We found that very few of these hugely popular apps do anywhere near enough to deserve the trust of those looking to protect their privacy online.
We recorded the top 20 free apps in the search results for “VPN” in the App and Play Store for UK and US locales. In total, these applications have been downloaded 80 million times from Google and 4 million times each month from Apple. For our full methodology and a list of every VPN investigated, see the full report.
Rather than the high standards consumers might expect Google and Apple to impose on developers in this highly sensitive category, we found the opposite. The majority of these apps stem from obscure and highly secretive companies that make a deliberate effort to obscure their information from consumers.
These VPN apps have been downloaded tens of millions of times from the world’s biggest app marketplaces, yet there is little-to-no information for users about the companies behind them and what they are doing with the huge volume of sensitive traffic that passes through their servers every day.
Our investigation discovered that over half of the top free VPN apps either have Chinese ownership or are actually based in China, which has aggressively clamped down on VPN services in recent years and maintains an iron grip on the internet within its borders. Furthermore, we found the majority of these apps have insufficient formal privacy protections and non-existent user support.
Ownership and Web Presence
Over half (59%) of the apps studied ultimately have Chinese ownership or are based in China, despite its strict ban on VPNs and its notorious internet surveillance regime. This raises questions about why these companies — which have such large international user bases — have been allowed to continue operating.
The Chinese-owned VPNs have been downloaded by users in the US, UK, Latin America, Middle East, and Canada. Three of the apps — TurboVPN, ProxyMaster and SnapVPN — were found to have linked ownership. In their privacy policy, they note: “Our business may require us to transfer your personal data to countries outside of the European Economic Area (“EEA”), including to countries such as the People’s Republic of China or Singapore.”
One of the apps, VPN Patron, is owned by IST Media, a Hong Kong-based company that markets itself in China as a mobile advertising company that monetises users’ internet behaviour.
Due to the great lengths these companies have gone to in order to hide their ultimate ownership, it’s often very challenging to verify who is actually behind these apps, and far beyond the means of the typical consumer to discover.
Similarly, 64% of these providers have no dedicated website or web presence, and over half of listed support emails were personal accounts such as Gmail or Yahoo addresses. Over 80% of our customer support requests were ignored.
Despite their opacity, these companies were able to gain credibility in the eyes of unwitting consumers by virtue of being approved by Apple and Google for listing in their app stores.
Privacy Policies, Tracking, User Logging
While the sheer popularity of these apps might be enough to convince most users that they are trustworthy, closer inspection reveals serious issues.
Legitimate VPNs, whether they are free or subscription-based, typically have detailed privacy policies that outline their practices and preclude them from monitoring and logging their users’ web traffic.
However, many of the most popular free VPN apps for mobile have nothing resembling this in their policies, and many have no policy at all. This highlights a disconcerting ambiguity about what is happening to huge volumes of user data, and raises concerns that millions of users around the globe are allowing unknown and potentially hostile entities to access their web traffic.
We found that 86% of these apps hosted on the App Store and Google Play had substandard privacy policies that were dangerously lacking or even invasive to user privacy. Some of these apps grant full access to users’ internet traffic, track users, and send data to Chinese third-parties. Data-points collected from users include websites visited, IP address (including user location), time and duration of browsing, independent device identifiers, email addresses, and more.
Common issues we found in privacy policies include:
o Tracking user activity
o Sharing user behaviour with third parties
o Lack of crucial detail around logging policies
o Generic policies with no VPN-specific terms
o No policy at all
o Explicitly sharing data with Chinese third parties
More than half of the privacy policies (55%) were hosted in an amateur fashion — including on free Wordpress sites with ads or plain text files on anonymous web pages — further compounding concerns about the legitimacy of these companies.
In the eyes of the consumer, every app on the official app store is effectively endorsed by Apple or Google as legitimate and safe to use. Yet given the extent of misinformation and obscurity surrounding these listings, it’s clear there can be but minimal oversight of this category.
Unsuspecting users are routing their entire mobile internet traffic through servers operated by these companies, most of whom offer no protection against the misuse of this data. This is a dereliction of duty from two of the world’s largest tech giants, whose lax controls are potentially leaving millions of customers open to wholesale data harvesting under the guise of online protection.
These findings also raise important questions as to why China allows these companies to operate in defiance of its strict laws prohibiting the use of VPN software, and with whom this data is shared once it is received.
Aside from the many questions raised by the discovery of this degree of Chinese influence in the area, these findings put pressure on Apple and Google to explain to consumers why they are approving apps from publishers with no web presence, minimal or misleading corporate information, and whose privacy policies are weak and at worst, anti-consumer.
In allowing these opaque and unprofessional companies to host potentially dangerous apps in their stores, Google and Apple demonstrate a failure to properly vet the publishers utilizing their platform and curate the software promoted therein. High-profile displays of privacy-conscious curation are fruitless if such little quality control is exerted over this poorly-run and potentially dangerous category of apps.