Last week, our investigation revealed that over three-quarters of Android VPNs fail basic transparency tests. The research casts serious doubt on which apps you can actually trust.
This week, I spoke with leading VPN providers about how you can stay safe online and what the industry is doing to clean up its reputation.
Aaron Engel, Chief Information Security Officer at ExpressVPN, says “the industry must continue to raise the bar on transparency.” But with the bar for Android VPNs set concerningly low, what does this actually look like in practice?
The importance of transparency
Engel said “transparency should be a key factor when choosing a VPN” and highlighted the importance of audits, accessible privacy policies and clear company ownership. Combined, these provide “important indicators of whether a provider is committed to protecting user privacy,” Engel argued.
"Transparency should be backed by verifiable action.”
ExpressVPN has done this with third-party audits — 23 of them to be precise — alongside significant investment into its security capabilities.
Most notably, its TrustedServer technology uses RAM-only server infrastructure to ensure the entire operating system and VPN are reinstalled at every reboot, ensuring no data is ever written to physical drives.
Like ExpressVPN, Surfshark prioritizes clarity. Justas Pukys, VPN Product Manager at Surfshark, says this commitment includes everything from 24/7 customer support to "clear, accessible" online resources.
What else can providers do?
“A VPN is entrusted with a user's most sensitive data, and as this investigation reveals, a significant portion of the market is not equipped to handle that responsibility” explains Marijus Briedis, CTO of NordVPN.
So, what more can the industry do? Pukys, of Surfshark, believes that "VPN providers need to demonstrate trust in other ways”
For Surfshark, this has involved everything from regular independent audits — though fewer than ExpressVPN’s 23 — to transparency reports and frequent app updates to meet evolving platform requirements.
Surfshark also regularly publishes research on topics such as digital privacy, online wellbeing, and global data breaches. While research isn't a direct technical "trust indicator," it’s likely that a provider investing heavily in studying the real-world impact of privacy is genuinely committed to defending it.
VPN providers need to demonstrate trust in other ways"
Justas Pukys, VPN Product Manager at Surfshark
Independent audits are a key indicator of a trustworthy VPN. Typically made publicly available, these reports outline any concerns or vulnerabilities discovered by the third-party auditor.
However, since these reports can be dense with technical jargon, transparency reports and no-logs policies serve as more accessible starting points. Both use clearer language to demonstrate how your data is handled.
If you’re keen to dive into an independent audit yourself, two sections deserve your focus. First, look for the executive summary or introduction. This usually provides a snapshot of the findings, including the number of issues identified.
Naturally, the fewer issues the better and ideally, the report will find no ‘critical vulnerabilities.’ Second, be sure to check the "Scope" section. This defines the boundaries of the audit — if the scope is too narrow, significant vulnerabilities may have been overlooked.
Another strong indicator of a provider’s intent is membership in the VPN Trust Initiative (VTI). The VTI includes major players like NordVPN, Surfshark, ExpressVPN, and IPVanish, and focuses on “advancing online privacy, security, and freedom through clear standards and trusted practices.”
Membership suggests that these providers are committed to a shared set of industry principles, implementing these privacy standards directly into their software and infrastructure.
That is not to say that VPNs outside the VTI are untrustworthy. Reputable providers like Proton VPN, Mullvad, and Windscribe have yet to join, but they consistently demonstrate the same rigorous, privacy-first practices that the VTI advocates for.
What should VPN users look out for?
However, as our recent investigation into the Google Play Store revealed, these high standards are the exception rather than the rule.
Responding to the findings, Pukys says “the Android ecosystem is generally more open" than others. While this makes it easy for new developers to access a major downloads platform, it also means closer attention should be paid to “how VPN providers communicate their data practices and privacy commitments.”
When considering Android VPNs, David Peterson, GM of Proton VPN, explains, you should:
- “Check the data safety section on their store listing” to ensure you’re comfortable with the information being collected and shared with third parties
- “Visit the brand’s official website and read through their privacy policy.”
- “Download their VPN only from the links they prominently provide”, commonly found on the provider’s website or via official app store links.
For Briedis, there is a broader scope of sensible steps to consider:
"Invest time in researching their provider. Look for clear, accessible privacy policies, professional websites, and dedicated customer support channels.”
...it's essential to select a service that proves its commitment to user privacy"
Marijus Briedis, CTO of NordVPN
Our research has also shown how unresponsive customer support can be when using an untrustworthy Android VPN. Knowing you can get help is crucial. if you’re unsure, try contacting a provider's support team with a question before signing up. A prompt response is a good sign.
As Briedis noted: “Choosing a VPN is a significant decision for one's digital security, and it's essential to select a service that proves its commitment to user privacy and transparency.”
So, do your research. Don’t fall for the first VPN you see, and make sure to check anything if you’re unsure.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.