Due to a combination of high-profile data breaches, the implementation of GDPR and a growing mistrust in how companies handle personal details, an awareness of the importance of data protection has taken hold in the consciousness of consumers and businesses alike.
As a result, people are increasingly taking action to protect their own private data, driving a huge uptick in the number of searches for privacy applications like VPNs (Virtual Private Networks). Much of this is happening in Google Play and Apple’s App Store - where the acronym ‘VPN’ has become the second highest non-branded search term, with these apps amassing hundreds of millions of downloads.
The unfortunate irony is that our recent investigations have revealed how these official marketplaces are failing their user-base by hosting apps with security flaws, gossamer-thin privacy policies and secretive operators with disconcerting associations.
Here are five reasons why these official stores offer a false sense of security when it comes to protecting your data:
Paying lip service to privacy
Of the 20 most popular free VPN apps in the two big app stores, 86% had privacy policies that fell well short for personal data protections. A technical analysis of the 150 biggest free VPN apps in Google Play also discovered that 85% were riddled with intrusive permissions or source code with the potential for privacy abuses. This would be worrying enough if we were talking about games or other entertainment apps, but in the case of VPNs - where users funnel all their internet traffic through servers operated by the app developer - these findings are deeply disconcerting.
Share and share alike
Typically, legitimate VPNs have ironclad privacy policies detailing how users’ internet traffic data is kept safe from logging or monitoring. With some of the apps we investigated, they actually stated explicitly that they transfer such data to China - where lots of these app-owners are based. Worse, there’s no knowing what the many VPN operators with detail-free policies are doing with the browsing data flowing through their servers.
Disconcerting associations
Speaking of China, six in ten of these apps has Chinese backing, with some even based in mainland China. Notorious for monitoring and censoring the internet, China has recently been cracking down aggressively, even jailing, local VPN operators. The fact that these apps continue to operate unmolested by the authorities raises red flags about their independence. It also begs the question why Apple and Google aren’t applying a stricter set of standards on apps with such links in order to protect their users.
Reactionary quality assurance
After the Cambridge Analytica scandal kicked up dirt on Facebook’s managing of personal data, Apple made a point of ejecting Facebook’s VPN-based app Onavo in what proved to be a PR hail mary. As for Google, it only seems to take action when its hand is forced; for example the recent high-profile removal of 85 apps containing malware. It’s clear that quality assurance in these app stores is a reactionary exercise - leaving potentially thousands of bad apps freely available until they attract negative PR.
A litmus test for the industry
Perhaps the most disconcerting aspect of our research was how deep we had to dig to find out about the companies behind these apps: far beyond the ability of the average consumer. With Apple and Google not performing due diligence and with users unable to do so, there’s something fundamentally wrong here. Our investigations are ultimately just a toe in the water of this industry, and raise serious questions about these marketplaces as arbiters of safe content.
- Simon Migliano is head of research at Top10VPN
