SuperVPN Free VPN Client is a hugely popular free VPN app for Android. Its Google Play page reports between 50 and 100 million installs, and as we write it has a 4.3 rating from more than 650,000 users.
You can install and use the app for free, and there are no restrictions for the first 20 days (although you will see lots of ads). After that, VPN sessions are automatically disconnected after 60 minutes. You can start a new session with a tap.
- Want to try SuperVPN Free VPN Client? Download it here
The free service limits your locations to France, Germany, Canada and the US. Upgrading to the VPN account gets you servers in the UK, Japan, Singapore and Hong Kong, too.
Prices starts at $5 for a single month, falling to $2.86 on the annual plan (which is actually $60 to cover 21 months, as you get nine for free.) That's not bad, but keep in mind that it just covers a single device. NordVPN's three-year plan costs $2.99 a month to cover up to five, and that can include any mix of PCs, Macs and iPhones.
Free VPN apps aren't generally a good choice for privacy as there's usually little data on who runs them, or what they might be doing with your information. Would SuperVPN Free VPN Client be different, we wondered? Let's see.
The app has a developer (SuperSoftTech) that doesn't appear to have a website, and isn't mentioned anywhere except in reference to this app. That's a common trick, presumably an attempt to hide the real identity of the developer, but if a VPN wants to earn trust then it needs to be more open, honest and transparent.
In this case, at least, the developer isn't difficult to find. SuperVPN's contact email address is listed as goanalyticsapp.gmail.com, which a quick Google check tells us belonged to Jinrong Zheng, the developer responsible for LinkVPN and several other apps. A little more searching finds a page about the app, with the goanalyticsapp.gmail.com email, and an address in Beijing.
The first is the closest the document gets to a logging policy:
"We do not monitor your traffic. The only thing we monitor if the IPs you are using to enter our servers are not blacklisted in respected Black lists databases, like spamhaus.org."
That leaves plenty of scope for session logging – incoming and outgoing IP addresses, connection times, locations, device ID, bandwidth used – although if you've not handed over any personal details, these won't easily be linked back to you.
After trying to reassure users that the service isn't collecting information on them, the document spoils it a little with this paragraph:
"Where we keep your information – We keep all information on highly secured servers based in United Kingdom and USA. All Information might be transferred to other servers we could use and we will take reasonably care with these possible transfers."
So, despite the lack of logging, the developer has enough information on you to justify explaining where it's all stored? Doesn't make much sense to us.
An alternative interpretation might be that this clause was thrown in to make it look like SuperVPN is UK or US-based, and so a little more appealing to the average European and North American user. Whether that's true or not, there's nothing here that makes the app appear more trustworthy.
The small print aside, there are other privacy concerns about SuperVPN. It uses ads, for instance, which means your device will be interacting with other platforms. Checking the raw APK file shows it uses services relating to Google Analytics and Facebook's ad system. That may not have any practical privacy impact for most people, but it's another tracking element that you won't get in a commercial VPN.
The app has been criticized in multiple reports over recent years. For example, in 2016 Australian researchers CSIRO found that SuperVPN was flagged as malware by 13 engines at VirusTotal, the third highest score out of a field of 234. They were mostly classing it as adware-like rather than anything truly dangerous, and that still means most engines thought it was safe (and as we write its VirusTotal score is zero), but this indicates the app may be doing things differently to many other VPNs.
A 2016 Vulners report listed many other SuperVPN vulnerabilities and problems. We have no idea if the report was accurate, and the vulnerabilities may have been fixed in the meantime, anyway, but this is still a concern.
There's another potential issue in the app's permissions. It needs access to Device & App History (get running apps, read sensitive log data), Identity and Contacts, Location, Photos/Media/Files, Storage, Wi-Fi Connection Information and Device ID and Call Information. That covers the rights to see installed apps, browsing history, profile data and your file system.
Now contrast that with the permissions required by ExpressVPN's app. This is the full set: view Wi-Fi connections, receive data from Internet, view network connections, full network access, run at startup, control vibration, prevent device from sleeping.
ExpressVPN's permissions are all clearly related to network or device management, with nothing suspect at all. SuperVPN requests a host of more sensitive permissions which don't have any obvious connection to VPNs, but do give it access to lots of your data. We're struggling to think of a good reason to accept this, especially when we've no real idea who is behind the app.
SuperVPN's lengthy permissions list makes it a little scary to install, but it's our job to take these risks, so we tapped the Install button and the app was ready to go in seconds.
We couldn't miss the ads. The app opened with a full-screen example. We cleared it, and another appeared. We tapped Continue and were taken to the main app screen, which had an embedded ad. We clicked Connect > OK and a full-screen video ad with audio appeared. We waited, closed that, clicked Disconnect, and this time remained relatively ad-free (apart from the embedded block on the main screen.)
Look in between the ads and you'll find a very simple VPN client. A Connect button gets you a connection to the nearest location (France, Germany, Canada, US), or a menu enables selecting it manually, and one tap disconnects you when you're done. There's nothing else to learn, and not an option or configuration setting in sight.
The underlying technology seems to be much the same as most other VPN apps. SuperVPN adds a standard VPN connection to the Settings > Wireless & networks > VPN list, and calls it up on demand.
Checking the app code confirmed our impression. Like many other Android VPN apps, SuperVPN appears to be based on the open source app, strongSwan. That's good - it's a capable product - but it's also a reminder that SuperVPN isn't about one or more individuals trying to share their own technical ideas of how a VPN should be. It's just a platform to display ads, and do whatever else they might be doing with help from all those sensitive app permissions.
We chose France, clicked Connect, and cleared another full-screen ad. The display had started a 60-day countdown, although we're unsure why. Perhaps you now get a 60-day trial, rather than a 20-day affair.
Our speed tests showed UK speeds delivering a speedy 60Mbps, near European countries reaching 50-55Mbs, the US peaking at 44Mbs and even Singapore reaching 26Mbps. Hong Kong was disappointing at 3-4Mbs, but overall the service performed very well for a free service.
SuperVPN's site unblocking abilities were less impressive. BBC iPlayer displayed its regular 'this content is not available in your location' error, and US Netflix warned that 'you'll need to turn these [proxy] services off and try again.]'
Whatever we might think about its other issues, SuperVPN delivered on our final leak tests. We used IPLeak, Doileak and other sites to analyze our connection, and they couldn't find any giveaway leaks or clues to our real identity.
- We've also highlighted the best VPN