The frightening truth behind free mobile VPN apps

Today, people often think of their smartphone as their most ‘personal computer’, and last year, we saw mobile internet usage surpass desktop usage. Those seeking greater privacy online often take a leap of faith and install a VPN onto their device with the expectation that all of their online activities will be less visible. However, the concern is that too often it is unclear how private their data will be.

Perhaps the greatest offenders in this respect are the free VPNs, both desktop and mobile, that use the information which is sent through them for analysis, targeting ads, and possible sale to third-parties.

Mobile VPN providers represent a bigger potential worry, though, as they are happy to track their users’ every movement, using the phone’s sensors to provide a wealth of data including the location (from the GPS), and level of activity from the accelerometer. All of this, of course, is a veritable realization of ‘Big Brother’ which should certainly give us pause for concern.

Free, but at what cost?

While the better VPNs are paid services, there’s no shortage of free ones. A quick search of the Google Play store for Android reveals dozens of choices, and many of them are highly rated with plenty of seemingly satisfied users. There’s no denying that a free VPN can be handy on certain occasions, such as to protect your data when using an insecure public Wi-Fi hotspot.

However, there is no such thing as a free lunch, as the saying goes, and any VPN that is offered at no cost needs to make some cash eventually to keep the lights on at their headquarters, and to pay employees. We’ve previously discussed and debunked the myth that the free VPN is just as good as a paid service, and we wouldn’t recommend a freebie for most users as a permanent security solution, when there are alternative choices available.

Just ask the users of Hola Free VPN Proxy, who got more than they bargained for back in 2015. Hola is a popular free VPN service, and some years back had amassed 47 million users – and still has one of the better rated Android apps on the Google Play store. Hola VPN was able to offer its service on the cheap as the company came up with an innovative (and lousy) solution to save on overheads.

A little explanation is needed here. The key to a VPN is the encrypted tunnel for the data to travel down, and this tunnel needs to end somewhere. A robust VPN has servers located throughout the world for exit points, but Hola didn’t have its own VPN servers, instead employing their users as potential ‘exit nodes’. In other words, the firm used a peer-to-peer model, so the data of other users would be going through your smartphone (and vice versa).

The problem was, however, that Hola was found to be reselling the idle resources of its users’ devices to others under the ‘Luminati’ brand, leading to accusations of Hola basically having a ‘9 million IP strong botnet’. So in this particular case, a free VPN service certainly had a higher price than most users would have suspected.

Hot potato

Furthermore, don’t think that Hola is an isolated case of a free VPN abusing its user base. In a more recent affair, Hotspot Shield, a popular VPN that offers a free service, was discovered to have a worrying issue following an investigation by the Center for Democracy & Technology (CDT), an online watchdog organization.

The CDT accused Hotspot Shield of logging user connection data, and using various other elements like location to better target adverts with its free VPN service. The organization further called for an investigation by the FTC regarding claims of redirecting internet traffic to partner websites (including online advertising firms). All of which is a far cry from maintaining the online privacy of users.

Hotspot Shield defended itself on several fronts, including assertions that it doesn’t store user IP addresses, and that it protects the user’s ‘personally identifiable information’ from itself and third-parties – but the whole affair obviously caused a great deal of suspicion.

Privacy risks

These tales concerning the lack of security of mobile VPNs have caught the attention of researchers, and a recent article entitled ‘An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps’ looked at precisely this issue last year. After a comprehensive analysis of 238 VPN apps available on the Google Play store, the researchers made several worrying conclusions:

  • 38% of the apps contained malware
  • 75% used third-party tracking libraries
  • 82% requested permission for access to resources on the smartphone including email and text messages
  • 18% did not disclose who is hosting the server at the end of the VPN tunnel
  • 16% did not use servers to forward traffic, but rather forwarded data through users in a peer-to-peer fashion
  • 18% of the VPN tunnels created did not use any encryption (defeating the entire point of a VPN)

Finally, it’s worth noting that two VPNs were found to inject code into the user’s traffic data for the purpose of advertisements and tracking.

The moral of the story is you should definitely think twice when installing a mobile VPN, and it’s safest to stick to trusted providers (such as the ones we recommend in our best free VPN article). Otherwise, you could easily end up less secure than you would be if you literally did nothing – and there’s even the risk that a bad VPN app could install malware itself.