Risky free VPNs still available in Apple App Store & Google Play despite warnings

Posted:
in iOS edited August 14
Apple and Google are still allowing a number of potentially unsafe free VPN apps to be downloaded from respective app stores, despite warnings that many of the apps pose a privacy risk to consumers, primarily from the apps questionable ownership by Chinese organizations.

VPN App Store iOS


An investigation at the end of 2018 into a large number of free VPN applications offered on Apple's App Store for iOS as well as Google Play revealed over half of the most popular versions available to download were secretly owned by Chinese companies, or were based in China. Given China's censorious nature, as well as major control over how its citizens access the Internet, it was considered to be a risk to use the free VPNs in question.

At the time, it was also determined the majority of the apps examined had few formal privacy protections, and practically didn't offer user support at all. Apple and Google were both taken to task for allowing the apps into the digital storefronts, despite the inherent risks, but evidently the investigation wasn't enough.

In an August update to the investigation, privacy and security researcher Simon Migliano of Top10VPN.com revealed the advice from his widely-reported earlier investigations were ignored by both Apple and Google, with neither acknowledging the problem existed.

Both firms were advised 77% of the apps flagged as potentially unsafe in the earlier investigation still posed a risk, while a further 90% from another investigation into free VPNs on Android that were similarly flagged are also still a risk. Migliano also provided detailed lists of the potentially unsafe apps, links to app listings in stores, relevant research for each, and recommendations on how to improve the situation, but it is claimed neither Apple nor Google made any changes.

The apps are also becoming a far bigger problem, with approximately 3.8 million installations of the risky apps on iOS each month. It is suggested that, while the figure remains steady from the time of the first investigation, the 20% reduction in apps since the start of the year due to no longer being available means the number of downloads for still-available apps is increasing on per-app average.

On Google Play, the downloads have increased in number, with 214 million installations in six months representing an increase of 85%.

While China does not allow VPNs to be used in the country, with Apple taking down apps as part of a government crackdown in 2017, Migliano reasons the development of VPN apps for use by citizens in other countries gives China "potential access to the massive amounts of browsing data flowing through VPN networks," and in turn "huge amounts of foreign intelligence."

The ability to monitor the online activities of its citizens, as well as those of other countries via VPN app traffic, gives the Chinese government the opportunity to perform surveillance unencumbered, and with little need to actively hack organizations.

In June, it was revealed an operation from the Chinese government-backed group APT 10 allegedly gained high-level access to at least ten global telecoms carriers, allowing it to track spies, law enforcement, military personnel, and dissidents linked to China.

The report also notes 80% of the top free VPNs in the App Store are also breaching Apple's data sharing ban, a rule change from June that prohibited VPN apps from sharing data with third-party services. By flouting the ban, this can allow apps to gather more data than Apple has deemed it necessary to collect, and to ferry it back to an unknown third-party, which could easily be a government-controlled entity.

"Just as the harsh glare of suspicion is falling on Huawei's ties with the Chinese state, similar scrutiny should be applied to VPN services," Migliano insists. "It's unacceptable that Google and Apple are keeping their heads buried in the sand rather than weeding out any VPN operators that don't meet strict standards for integrity."

Comments

  • Reply 1 of 16
    Hope Hotspot Shield is not a mainland China’s because that’s what I’m using (and enjoying). 
    edited August 13 watto_cobra
  • Reply 2 of 16
    SoliSoli Posts: 9,331member
    matrix077 said:
    Hope Hotspot Shield is not a mainland China’s because that’s what I’m using (and enjoying). 
    You may want to read the Critical Reception section, then follow to other links, and possibly subscribe to a paid service without any of these questionable, black marks.

    chasmmuthuk_vanalingamwatto_cobra
  • Reply 3 of 16
    Soli said:'
    matrix077 said:
    Hope Hotspot Shield is not a mainland China’s because that’s what I’m using (and enjoying). 
    You may want to read the Critical Reception section, then follow to other links, and possibly subscribe to a paid service without any of these questionable, black marks.

    Yeah, I’m on paid subscription since day one. Had used it free on my Windows days and found it’s awful. Surprisingly using it on Mac and iOS with paid subscription is pretty great and easy. 
    edited August 13 watto_cobra
  • Reply 4 of 16
    How about listing all these questionable apps by name so users know which ones to avoid? I'm fine, using NordVPN, but my friends and family would  benefit from such a list.
    PetrolDavevaulttechgirlwatto_cobra
  • Reply 5 of 16
    Mike WuertheleMike Wuerthele Posts: 4,967administrator
    TrueNorth said:
    How about listing all these questionable apps by name so users know which ones to avoid? I'm fine, using NordVPN, but my friends and family would  benefit from such a list.
    The source article is linked in the piece.

    watto_cobra
  • Reply 6 of 16
    GeorgeBMacGeorgeBMac Posts: 5,262member
    Yawn....   Another China paranoia piece.   It was Russia who attacked us.   It is Russia who IS attacking us.   But we are told to "look over there..."
    dewme
  • Reply 7 of 16
    Yet more indications that Apple is really in bed with the Chinese government, being forced to ban certain apps and allow others, or their business in China will suddenly become illegal...
  • Reply 8 of 16
    chasmchasm Posts: 1,697member
    People who use a "free" VPN will get exactly what they deserve. Hint: it's not secrecy, privacy, or security.
    watto_cobra
  • Reply 9 of 16
    analogjackanalogjack Posts: 1,071member
    You can make anything foolproof,  but you cannot make it idiot proof. 
    watto_cobra
  • Reply 10 of 16
    gatorguygatorguy Posts: 21,236member
    "Free cheese can be only in a mousetrap." I have learned my lesson, so I will never use a free VPN... I use NordVPN and I will never change it to any other provider, but the list of risky providers must be done, as people tend to download free stuff without thinking about the consequences. 
    FWIW there is an "oddity" being noted in the NordVPN and its daily calls to three domains. It may all be perfectly legit but security experts found it strange behaviour for a VPN, and there's been no change on Nord's side even tho they had said they would remove that in the latest update and did not. 
    https://www.niem.es/2019/03/f5d599a39d02caef1984e95fdc606f838893ffc5-xyz.html
    https://www.niem.es/2019/04/update-f5d599a39d02caef1984e95fdc606f838893ffc5-xyz.html

    As I said probably some legit part of the NordVPN but just be aware that there are some hanging questions about why the odd behavior.
  • Reply 11 of 16
    Why not just just Cloudflare's 1.1.1.1 app, which includes a free VPN?
    watto_cobra
  • Reply 12 of 16
    SoliSoli Posts: 9,331member
    Why not just just Cloudflare's 1.1.1.1 app, which includes a free VPN?
    You could use that new feature with Cloudflare's DNS app, but there are still reasons why one would want a VPN with additional options. Even Cloudflare details where there is no best VPN for all users.

    watto_cobra
  • Reply 13 of 16
    hrydehryde Posts: 3member
    Am I the only one who first parsed the headline as "Risk Free VPNs..."?
    edited August 15
  • Reply 14 of 16
    gatorguygatorguy Posts: 21,236member
    TrueNorth said:
    How about listing all these questionable apps by name so users know which ones to avoid? I'm fine, using NordVPN, but my friends and family would  benefit from such a list.
    This additional list are those available other than by an app on Android/iOS. Note that some of these are NOT free VPN's. Mike gave you the link to the list of "free" AppStore/Google Play apps earlier in the thread.
    1. Hola
    2. HideMyAss
    3. Sabre VPN
    4. HotSpot Shield
    5. Safe Connect VPN
    6. Hotspot VPN
    7. Seed 4 Me
    8. Psiphon
    9. Hoxx VPN
    10. Unlocator
    11. Browsec VPN
    12. Betternet
    13. TouchVPN
    14. Kaspersky VPN
    15. HexaTech
    16. VPN In Touch
    17. X-VPN
    18. VPNHub
    19. Hide My IP
    20. VPN AC
    21. Bitdefender VPN
    22. Astrill
    23. Buffered
    24. VPN Unlimited
    25. Encrypt Me
    26. F-Secure Freedome
    27. TigerVPN
    28. Speedify
    29. OvpnSpider
    30. AppVPN
    31. Thunder VPN
    32. VPN 360
    33. VPN Gate
    34. TurboVPN
    35. ZenMate
    36. DotVPN
    37. UltraSurf
    38. Opera VPN
    39. Ace VPN
    edited August 19
  • Reply 15 of 16
    gatorguygatorguy Posts: 21,236member
    matrix077 said:
    Hope Hotspot Shield is not a mainland China’s because that’s what I’m using (and enjoying). 
    Hotspot Shield made the list of "risky VPN's" tho on the lower risk side. 
  • Reply 16 of 16
    gatorguygatorguy Posts: 21,236member
    TrueNorth said:
    How about listing all these questionable apps by name so users know which ones to avoid? I'm fine, using NordVPN, but my friends and family would  benefit from such a list.
    Well this is a fine turn...
    With NordVPN being one of the trusted ones it's revealed today that their website has been cloned and malware delivered right alongside the "real Nord". 

    "Researchers at Doctor Web’s virus lab discovered a dangerous banking trojan, Win32.Bolik.2, being spread by hackers via fake websites of popular software. One of these resources is copied from a well-known VPN service, while others are disguised as corporate office software sites.

    A copy of the NordVPN official website, which is a famous VPN service, was recently found by our researchers at nord-vpn[.]club. As with the original, it prompts users to download a program for using the VPN; but apart from the program itself, the fake authors distribute a dangerous banking trojan - Win32.Bolik.2.

    It has the same design, a similar domain name, and a valid SSL certificate."

Sign In or Register to comment.