Analysis of Security in 100 Free VPN Apps for Android Platform

Top10VPN, a publication that reviews and tests VPN services, carried out testing 100 the most popular free VPN applications for the Android platform, with a total of more than 2.5 billion installations (100 free VPN applications for which the largest number of downloads were recorded in the Google Play catalog were taken for testing). Main conclusions:

  • 88 of the tested programs have certain problems leading to information leakage. In 83 applications, leaks occurred due to access to third-party DNS servers (not the VPN provider’s servers), for example, Google DNS was used in 40 cases, and Cloudflare in 14 cases. In 79 applications, the possibility of sending traffic bypassing the VPN was not excluded. Several types of leaks were identified in 17 applications (disclosure of the user’s original IPv4 and IPv6 to websites, leaks via DNS and WebRTC).
  • In 11 applications, the use of outdated pseudo-random number generators was detected. One of the applications did not use traffic encryption at all. 35 applications used outdated cryptographic algorithms (only 20 programs used reliable hashing methods). In 23 applications, at the stage of creating a VPN tunnel, older versions of TLS (TLSv1, TLSv2) were allowed to be used to access an external server, while 6 applications used SSLv2.
  • 69 programs requested excessive permissions, for example, 20 applications required access to location data (ACCESS_*_LOCATION), 46 – to the list of installed programs (QUERY_ALL_PACKAGES), 9 – access to the phone state (READ_PHONE_STATE, among other things, allows you to find out IMEI and IMSI) , 82 – requested unique identifiers for identification in advertising networks (ACCESS_ADVERTISEMENTS_ID), 10 – tried to access the camera.
  • 53 detected the use of third-party proprietary functions, for example, 13 programs used code to track location, 31 to obtain identifiers for advertising networks, 22 to check other installed applications.
  • 80 programs used third-party libraries, among which 15 used Bytedance (TikTok) libraries, and 11 used Yandex libraries.
  • 84 applications included SDK components from marketing platforms or social networks, while 16 applications included 10 or more such components.
  • In 32 applications, access to hardware capabilities and sensors was identified that could lead to a violation of privacy. For example, 15 applications access the camera, 7 – the microphone, and 14 – location mechanisms such as GPS, 14 – sensors (gyroscope, proximity sensor, etc.).
  • 71 applications sent personal data to third-party services, such as Facebook (47), Yandex (13) and VK (11). 37 programs disclosed device identifiers to third-party services, 23 – IP addresses, 61 – unique identifiers for tracking. 19 applications sent telemetry with device and system information to the VPN provider’s servers, and 56 sent telemetry to third-party services such as Google (39), Facebook (17) and Yandex (9).

  • Malware was identified in 19 applications when scanned by the VirusTota service, which scans using more than 70 antiviruses. In 18 applications, connections to domains were detected, and in 13 to IP addresses included in blacklists of malicious hosts and addresses.
  • In 93 applications, discrepancies between the declared privacy labels and the actual status were identified. 75 applications incorrectly informed about the methods of collecting user data, 64 – about sending data to third-party services, 32 – about the security methods used. Of the 65 apps labeled “No Data Sharing,” only 20 did not send data to third-party services, and of the 32 apps labeled “No Data Collection,” only two met its associated requirements.

Thanks for reading: