Free Android VPNs Suffering Encryption Failures, New Report

VPN apps for Android increase privacy and security over the internet since connection data is encrypted, consequently making it impossible for hackers or other parties to access communication data. 

They also help unblock region-restricted content through IP address hiding, support anonymity on the Internet, and protect secure information more so when using insecure Wi-Fi.

Cybersecurity researcher Simon Migliano at Top10VPN recently discovered that free Android VPNs are suffering encryption failures.

Free VPNs Encryption Failures

Encouraged by the growing trends of government-imposed internet restrictions worldwide and subsequent appeal for virtual private networks (VPNs), this study examines the privacy and security issues about free VPN applications.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Since 2018, the total installations of the 100 most popular free Android VPNs have skyrocketed from 260 million to over 2.5 billion.

This in-depth research evaluated the privacy and security risks associated with the top 100 free Android VPN apps, which have garnered over 2.5 billion total installations due to increasing global demand.

By testing each app on separate devices, using various tools within an isolated environment, the study identified shocking flaws in encryption, data leakage, and privacy-infringing functions in the codes of these apps.

Most importantly, it was discovered that most of them openly shared personal user information directly with firms such as “Yandex” and “Bytedance,” consequently showing a contradiction between serving people without charging them and safeguarding a VPN’s real confidentiality goal.

For those who cannot afford to pay for VPNs, it is possible to find good, free ones by doing extensive research. However, affordable paid options are more reliable.

The tests revealed worrying encryption flaws and data leakage among all 100 free VPN applications.

11 experienced full-scale breakdowns in the encryption process, slightly over a third deployed an inadequate form of encryption, and few used the best hashing algorithms or TLS 1.3.

This resulted from 88 leaking information, including 83 that disclosed DNS requests and 79 that did not tunnel all traffic. Over half of these applications suffered from connection instability.

A comprehensive study on user privacy and security vulnerabilities, conducted through Wireshark traffic analysis within a unique test environment, unraveled such extensive vulnerabilities.

Here below, we have mentioned the names of those 11 VPNs:-

  • HTTP Injector
  • Phone Guardian VPN
  • VPN Private
  • iTop VPN
  • PotatoVPN
  • Swift VPN
  • Tenta Private VPN Browser
  • Maple VPN
  • GoFly VPN
  • AVG Secure Browser
  • VPN Satoshi

11 apps were found to have no encryption at all, consequently exposing the browsing activities.

Many of these data leaks were widely spread, 83 of them leaked DNS requests and only 79 could tunnel all traffic.

In addition, many of the investigated apps (96) contained code with potential privacy impacts but some had first-party location tracking together with permissions.

More worrying were those with 12 apps, including third-party precise location tracking code and permissions; some even track in the background.

The main contributors to major privacy concerns included SDKs such as ByteDance, Yandex, and Facebook embedded in popular apps.

In total, during this test period, 71 applications shared personal information while their VPN was still running.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…

1 day ago

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

2 days ago

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…

2 days ago

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…

2 days ago

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…

2 days ago

145,000 ICS Systems, Thousands of HMIs Exposed to Cyber Attacks

Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…

2 days ago