For individuals seeking extra privacy online or trying to access geo-blocked content, a virtual private network (or VPN) can seem like an ideal fix. VPN applications protect users by encrypting internet traffic and routing it through different countries. That makes it harder for hackers to intercept your connection, and can also fool Netflix into thinking you’re in a different country. However, these programs can also pose a risk to users.
A new analysis of nearly 300 Android VPNs found that 84 percent of those studied leaked users’ web traffic, 38 percent contained malware or malvertising, and 18 percent didn’t encrypt data at all. Three of the apps even directly intercepted traffic, allowing, for example, operators to read a users’ emails if they visited Gmail. (In these three cases, the developers claimed they intercepted traffic only in order to speed up the connections) You can see a list of the worst offenders when it came to malware below, while the report found Neopard, DashVPN, and DashNet intercepted traffic.
The report was compiled by security researchers from a number of institutions including the University of California at Berkeley and CSIRO, a federal research agency in Australia. Narseo Vallina-Rodriguez, a security researcher from IMDEA Networks and ICSI who co-authored the study, said he was not surprised by the findings. “To me, the shocking fact was that people trust this kind of technology,” Vallina-Rodriguez. He said in using these apps, individuals are just handing over their internet connections, and if the company handling this data isn’t trustworthy, they can get up to all sorts of mischief.
The threats posed by these leaky apps varies. In the case of those that didn’t encrypt traffic (usually a staple function of a VPN), it might leave someone’s connection open to snooping when using public Wi-Fi. With apps that inserted their own malware or malvertising, the threat might not necessarily be to the users’ data, but to their online experience — with a VPN replacing a website’s ads with their own, more intrusive versions.
The study focused on free VPN apps available on Android, but Vallina-Rodriguez says paying for a service isn’t necessarily a guarantee of security. With paid VPNs there isn’t an incentive to monetize users by selling on their data or inserting adverts, but users are still trusting a company with their internet traffic. Arguably, though, this is no different than trusting your ISP.
The report should be interpreted with a few caveats in mind. Firstly, the apps it studied were collected last year, with some already removed from the Play Store. And secondly, that it’s impossible to say for certain whether security holes appeared in apps for malicious reasons or not. “It’s often just ignorance,” says Vallina-Rodriguez. “A lack of knowledge.” The study didn’t cover VPNs on iOS either, although Vallina-Rodriguez suggests that the App Store’s more thorough vetting process might keep shadier operators out.
So what can users do to use a VPN safely? Well, paying for one is better than not, as it takes away an incentive for snooping. Using services that have been around for a while also helps. And if you absolutely must use a free VPN, avoid those which ask for too many permissions on your phone (like looking at your contacts) or that insert their own advertising — those are bad signs. A trustworthy VPN offers solid protection in many cases, but they can still be a risk.