Wednesday, January 22, 2025
HomeAndroidFree Android VPNs Suffering Encryption Failures, New Report

Free Android VPNs Suffering Encryption Failures, New Report

Published on

SIEM as a Service

Follow Us on Google News

VPN apps for Android increase privacy and security over the internet since connection data is encrypted, consequently making it impossible for hackers or other parties to access communication data. 

They also help unblock region-restricted content through IP address hiding, support anonymity on the Internet, and protect secure information more so when using insecure Wi-Fi.

Cybersecurity researcher Simon Migliano at Top10VPN recently discovered that free Android VPNs are suffering encryption failures.

Free VPNs Encryption Failures

Encouraged by the growing trends of government-imposed internet restrictions worldwide and subsequent appeal for virtual private networks (VPNs), this study examines the privacy and security issues about free VPN applications.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Since 2018, the total installations of the 100 most popular free Android VPNs have skyrocketed from 260 million to over 2.5 billion.

This in-depth research evaluated the privacy and security risks associated with the top 100 free Android VPN apps, which have garnered over 2.5 billion total installations due to increasing global demand.

By testing each app on separate devices, using various tools within an isolated environment, the study identified shocking flaws in encryption, data leakage, and privacy-infringing functions in the codes of these apps.

Most importantly, it was discovered that most of them openly shared personal user information directly with firms such as “Yandex” and “Bytedance,” consequently showing a contradiction between serving people without charging them and safeguarding a VPN’s real confidentiality goal.

For those who cannot afford to pay for VPNs, it is possible to find good, free ones by doing extensive research. However, affordable paid options are more reliable.

The tests revealed worrying encryption flaws and data leakage among all 100 free VPN applications.

11 experienced full-scale breakdowns in the encryption process, slightly over a third deployed an inadequate form of encryption, and few used the best hashing algorithms or TLS 1.3.

This resulted from 88 leaking information, including 83 that disclosed DNS requests and 79 that did not tunnel all traffic. Over half of these applications suffered from connection instability.

A comprehensive study on user privacy and security vulnerabilities, conducted through Wireshark traffic analysis within a unique test environment, unraveled such extensive vulnerabilities.

Here below, we have mentioned the names of those 11 VPNs:-

  • HTTP Injector
  • Phone Guardian VPN
  • VPN Private
  • iTop VPN
  • PotatoVPN
  • Swift VPN
  • Tenta Private VPN Browser
  • Maple VPN
  • GoFly VPN
  • AVG Secure Browser
  • VPN Satoshi

11 apps were found to have no encryption at all, consequently exposing the browsing activities.

Many of these data leaks were widely spread, 83 of them leaked DNS requests and only 79 could tunnel all traffic.

In addition, many of the investigated apps (96) contained code with potential privacy impacts but some had first-party location tracking together with permissions.

More worrying were those with 12 apps, including third-party precise location tracking code and permissions; some even track in the background.

The main contributors to major privacy concerns included SDKs such as ByteDance, Yandex, and Facebook embedded in popular apps.

In total, during this test period, 71 applications shared personal information while their VPN was still running.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Criminal IP and OnTheHub Partner to Deliver Advanced Cybersecurity Solutions for Education

AI SPERA, a leading Cyber Threat Intelligence (CTI) provider, has collaborated with OnTheHub, a...

SQL Injection Vulnerability in Microsoft’s DevBlogs Lets Hackers Injecting Malicious SQL

In a recent discovery, a security researcher uncovered a critical SQL injection vulnerability on...

Three New ICS Advisories Released by CISA Detailing Vulnerabilities & Mitigations

The Cybersecurity and Infrastructure Security Agency (CISA) announced three new Industrial Control Systems (ICS)...

Security Researchers Discover Critical RCE Vulnerability, Earned $40,000 Bounty

Cybersecurity researchers Abdullah Nawaf and Orwa Atyat, successfully escalated a limited path traversal vulnerability...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Criminal IP and OnTheHub Partner to Deliver Advanced Cybersecurity Solutions for Education

AI SPERA, a leading Cyber Threat Intelligence (CTI) provider, has collaborated with OnTheHub, a...

SQL Injection Vulnerability in Microsoft’s DevBlogs Lets Hackers Injecting Malicious SQL

In a recent discovery, a security researcher uncovered a critical SQL injection vulnerability on...

Three New ICS Advisories Released by CISA Detailing Vulnerabilities & Mitigations

The Cybersecurity and Infrastructure Security Agency (CISA) announced three new Industrial Control Systems (ICS)...