Millions who rely on free mobile Virtual Private Network (VPN) apps for online privacy may actually be putting their data at greater risk, according to new research by Zimperium zLabs. In a study of nearly 800 free VPN apps for Android and iOS, researchers found many not only fail to protect users but also expose them to serious security and privacy threats.
Critical Flaws Discovered:
The zLabs team discovered that a substantial portion of these apps exhibit dangerous behaviours. Some leak personal data, while many others offer “no real privacy at all.” Researchers noted a major concern is the developers’ use of incredibly old and vulnerable software.
For example, the analysis found three VPN apps still use an outdated part of the OpenSSL library, leaving them open to the infamous Heartbleed bug (CVE-2014-0160). This flaw, revealed in 2014, could allow a remote attacker to read sensitive information like secret keys, usernames, and passwords.
About 1% of the apps were vulnerable to Man-in-the-Middle (MitM) attacks, giving attackers the ability to intercept and read all user traffic. Releasing an app with a decade-old flaw that has a known fix highlights a serious lack of security diligence.
Excessive Permissions and Surveillance:
Further probing revealed that many apps are also requesting powerful, unnecessary access, a practice known as Permission Abuse. For instance, an iOS VPN app asking for “always-on” location access (LOCATION_ALWAYS) makes no sense, since a VPN’s main job is to secure traffic, not track your physical location 24/7.
Similarly, some Android apps requested the ability to read all system logs (READ_LOGS), which could allow them to build a full profile of a user’s behaviour, thereby operating as a “sophisticated keylogger.”
Some apps asked for permissions like access to microphones, system logs, or performed UI screen capture, giving the app provider a surveillance vector well beyond its stated function.
Non-Transparent Privacy Practices:
According to Zimperium zLabs’ blog post, researchers found a prevalent lack of transparency among their inspected apps, hindering users’ ability to give informed consent about the data being collected. Even on Apple’s App Store, a massive 25% of iOS VPN apps lacked a valid privacy manifest, a core requirement meant to inform users how their data will be handled.
Additionally, over 6% of these iOS apps requested private entitlements, which are powerful permissions that could allow deep access to the operating system and should never be available to third-party developers.
For companies that let staff use their personal devices for work (called Bring-Your-Own-Device or BYOD policies), these insecure VPNs can become the weakest link, putting sensitive business data at unnecessary risk. Ultimately, when it comes to free mobile VPNs, what is assumed to be protecting your privacy may actually be the biggest risk to your data.
“Organizations need a multi-layered response. Endpoint visibility and management is table stakes. Some organizations will evaluate the risk and tackle this through application allow listing, while others may favor a more permissive approach. However, what is rapidly becoming a requirement is the need for web content-level data security,“ said Brandon Tarbet, Director, IT & Security at Menlo Security.
“This need is underscored by how personal VPN providers position and market the supposed security benefits of their products,“ Tarbet warned. “There is a real need for data protection at the content level, and a market that wants to be able to trust their connection to websites and services. The key is shifting from a perimeter-based security mindset (such as with VPNs) to content-level protection that works even when traditional visibility is compromised,” he urged.
