Hundreds of Millions Have Downloaded Suspicious VPN Apps With Serious Privacy Flaws. Apple and Google Haven't Taken Action.
When Thomas Jefferson penned the Declaration of Independence, he specified life, liberty and the pursuit of happiness as three of humankind’s “unalienable rights.”
More than 230 years later, people are wondering: What about the right to privacy?
The conversation isn’t new -- attorney Jacqueline Klosek wrote a book called Data Privacy in the Information Age in 2000 -- but post-Cambridge Analytica, it is newly relevant in the eyes of the general public. We’ve long turned over personal data to companies in exchange for access to goods and services, but for cautious consumers, there have always been tools available to safeguard their personal data.
To wit, the use of virtual private networks (VPNs) is on the rise around the world. This type of safeguard creates an encrypted communication tunnel between your device and the internet, securing your browsing history, your correspondence and any other information you share from prying eyes. In the first quarter of 2018, about 26 percent of global online users reported utilizing a VPN or proxy server to access the internet in the past month; by Q4, that figure had increased to 30 percent.
But what happens when these “defensive shields” begin to crack -- whether due to a flaw in construction or, more menacingly, due to a cleverly placed hammer strike from the creators themselves?
Simon Migliano, head of research at Top10VPN, a VPN research and review website, recently investigated just that. During a new round of reviews, Migliano saw droves of free VPN apps he’d never seen before in both Apple’s App Store and the Google Play Store. It was strange, he says, because knowing the lay of the land when it comes to VPNs is his job -- and it was rare for him to see this many newcomers. The apps had garnered hundreds of millions of users, but behind many of them were unfamiliar business names with no websites or information about the people running the show. There’s always been a general sense of free VPNs being “dodgy,” says Migliano, but in the past, they’ve rarely been considered dangerous.
In this case, the sheer number of dubious-looking apps out there piqued Migliano’s interest: Were these consumer traps? He decided to find out.
Results of the investigation
In December, Top10VPN published intensive research taking a closer look at the 30 apps that made up the top 20 search results for “VPN” across both the App Store and Google Play Store. The results were disconcerting, especially when it came to the apps’ ownership and privacy policies -- and when you consider the fact that some of the apps had upwards of 50 million downloads worldwide.
After digging into the apps’ ownership information, Migliano and his team found that nearly 60 percent of the most popular free VPN apps on Apple’s App Store and the Google Play Store are secretly owned by individuals or companies in China, despite the country’s known internet restrictions and strict ban on VPNs.
A trio of apps known as VPN Master, Turbo VPN and Snap VPN -- which together have more than 14 million total Android installs and 1.1 million monthly iOS installs -- explicitly state that they may transfer users’ personal data to China or Singapore, and the types of data they share goes far and wide: information such as browser types, IP addresses, time stamps, device identification codes, email addresses, CPU details, battery use and more.
Another dubious finding? About 55 percent of the apps hosted their privacy policies on amateur pages, such as free WordPress sites with ads or plain text files on Pastebin. More than half listed personal email accounts (Gmail, Yahoo, etc.) as customer support email addresses, and when Top10VPN reached out via those channels, 83 percent of customer assistance email requests were ignored.
Migliano and his team also conducted a more in-depth technical review of 150 VPN apps available to Android users. Combined, the apps had over 260 million installs from the Google Play store when the study was published in February -- now, that number has hit 518 million. Results were concerning: 85 percent of the apps featured intrusive permissions or functions with a real potential for privacy abuse. Close to seven in 10 had permissions that official Android developer documentation categorizes as “dangerous.” And 18 percent of the apps tested positive in preliminary scans for potential viruses or malware.
Entrepreneur worked with Sixgill, a threat intelligence company that analyzes deep and dark web sources, to look further into five of the potentially unsafe VPNs in Migliano’s study: VPN Proxy Master, TurboVPN, Snap VPN, X-VPN and Secure VPN. Dov Lerner, a cyberintelligence researcher at the firm, found that most of them came highly recommended in dark web forums.
“I got a bit of a laugh out of that,” says Lerner. “In this den of thieves, everybody’s a thief -- everybody’s trying to make a buck off of someone else … So that was pretty funny to know, that if these VPNs are insecure, these people are hardly safe. Because they’re actually engaged in illegal activities, these VPN services might hand them over to law enforcement or use them for blackmail. It’s hard to tell what they’re going to do with it, but they certainly have compromising material.”
How this could affect consumers (and why you should care)
As data breaches spread like wildfire -- Equifax, Yahoo and Marriott, to name a few -- you may be wondering: My personal data is already out there in the ether. What new risks could an unsafe VPN really pose?
But there’s a valid reason here to care -- and to take steps to protect yourself. By definition, VPNs (again, virtual private networks) are presented as safe options for secure Internet use. That means that someone using a VPN may believe they’re protected while visiting the website of their financial institution, health insurance provider or another sensitive outlet. But when you use a VPN, all of your browsing data flows through servers operated by the provider of that service -- the operator of the app. That’s every single byte of your browsing data, including web searches.
When analyzed as part of an extremely large data set, even seemingly innocuous information can reveal sensitive aspects of a consumer’s life. Location-tracking can point to religion, political affiliations, health status and more. Maybe you’re looking up depression symptoms for someone in your family or visiting sites that indicate you’re worried about financial stability. Whatever the case, that information has the potential to determine the ads that the app directly targets you with. It could also be logged, captured, parceled off and sold to third parties, including advertisers and marketers.
With little to no data protection out there, these deals are being made several degrees removed from the consumer. You don’t have a relationship with your Internet Service Provider (ISP), and you’re not part of the conversation about data resale. The market is largely unregulated.
And that’s just the legal side of things. In fringe cases, a non-legitimate VPN provider could even gather user information for identity theft purposes. For example, on the dark web, user credentials for emails and passwords could sell for as little as $3 to $5, while credit card data could go for $30, says Lerner.
And since 59 percent of the apps in Migliano’s study had hidden Chinese ownership -- despite the strict VPN ban in China -- there’s potential for authorities there to scoop up sensitive user data for intelligence purposes with no oversight or scrutiny. “It does it internally, domestically, so it’s far from unrealistic to suggest it could be doing it internationally as well,” says Migliano. It may seem far-fetched, but the controversy that’s befallen phone giant Huawei in recent months -- surrounding its alleged ties to the Chinese government and intelligence -- mean the idea isn’t implausible.
In the best-case scenario, these apps simply come from Chinese companies that take no responsibility for data protection, says Lerner. In the worst-case scenario, not only is that still true but also, alarmingly, they’re bulk-gathering user data.
On another note, there’s the matter of VPNs with perhaps unintentional security flaws -- products that simply don’t work properly or have permissions in their source code that raise red flags. Migliano’s investigation found that a quarter of the 150 apps profiled in the Android Risk Index were “leaking” -- in other words, allowing ISPs access to a user’s browsing data.
Other intrusive permissions could be the result of attempts to more accurately target you for ads or something more sinister. Migliano’s investigation found that 87 of the 150 apps included source code permissions to access a user’s last known location. Six apps included permissions to open a user’s phone camera, meaning they could potentially double as spyware, and four apps even included permissions to secretly send SMS messages from a user’s device.
“Our internet generation has grown accustomed to getting apps for free,” says Lerner, “but privacy and data protection come at a premium. If you want your data to be protected, you have to pay for it.”
A global issue
For about half a century, the “third-party doctrine” has been a key staple of American privacy law, stipulating that after sharing information with a third party, individuals have no reasonable expectation of privacy. But as consumers become more invested in their data protection rights -- and breaches continue to propagate -- governments are beginning to take steps towards more robust regulation. Vermont, Maine and California have all passed laws that in some way regulate or limit the sale of resident data, and a number of other states are considering similar measures.
But the battle for data privacy extends well beyond global superpowers, and it’s being waged on an individual scale.
Internet shutdowns occur regularly around the world; for example, according to one report, 22 governments in Africa have ordered shutdowns in the past five years. And many VPN users choose free options because they’re unable to pay for similar services, though they may be in real need.
Since 2009, the Iranian government has censored access to social media platforms like Facebook, Twitter and YouTube since activists used them to organize protests. Some residents download VPNs to bypass the restrictions.
In April, after the Easter bombings in Sri Lanka, the government instituted a major internet shutdown of platforms like Facebook, WhatsApp and YouTube, citing the need to curb misinformation. For information on what happened -- and to contact their loved ones -- residents turned to VPNs.
And in May, the Indonesian government restricted access to social media following deadly riots that broke out after the presidential election. Residents used VPNs to circumvent the shutdown and check in with loved ones, as well as upload photos, videos or voice messages on platforms like WhatsApp.
There could be a time in which governments step in to regulate VPN networks, but there’s the risk of entering into a reality in which governments are the ones both instituting censorship and regulating anti-censorship tools. That’s why Migliano considers Google and Apple to be prime examples of supranational organizations that could take up the mantle of regulating VPNs in countries around the world.
“People see dollar signs when they think about VPNs,” says Migliano. “At the moment, there’s a vacuum, and the wrong people are rushing in to fill that vacuum.” He envisions a future in which the services are regulated in much the same manner as ISPs -- for example, being subject to corporate transparency requirements -- and potentially even a standardized test for whether one is fit to serve the public. “It’s through that lens that Google and Apple should be viewing VPN apps, and it just really isn’t happening.”
Response from Google and Apple
When Migliano first shared the findings with Apple and Google over email in early 2019, he included detailed lists of the potentially unsafe apps, research links, links to listings on the app stores, recommendations of steps to take and more. Migliano notified each company that he’d wait 10 weeks for them to resolve the vulnerabilities before taking the research public.
It’s been over six months, and 77 percent of the apps flagged as unsafe upon the study’s publish date are not only still available for download but also seem to be increasing in popularity. As far as Google Play, affected app downloads have spiked 85 percent in six months (totaling 518 million to date). In the App Store, monthly installs have remained largely unchanged at around 3.8 million, but as Top10VPN’s study put it, that’s still a relative increase: “This total was generated by 20 percent fewer apps than at the start of the year, as a number of apps are no longer available.”
“It’s quite baffling in a way that Apple and Google haven’t even made a single pronouncement,” says Migliano. “To have them completely ignore the issue and put their heads in the sand was the other aspect of this round of research that surprised me -- not even to acknowledge it, give some PR guff and say, ‘Yes, we’re looking at it.’”
Apple representatives agreed to take a closer look at the data but had not yet commented by publication time, and Google did not respond to multiple requests for comment.
On June 3, Apple introduced a new iteration of its App Store Review Guidelines that banned VPNs from sharing user information with third parties. The problem: It seems the company hasn’t done much enforcing, judging from the fact that 80 percent of the top 20 free VPN apps currently available for download in the App Store still do not appear to comply with the guidelines, yet have a total of six million monthly downloads.
“They’ve kind of backed themselves into a corner, in my view,” says Migliano. “They’ve admitted that VPNs need to be treated differently, but [they’re] not really doing anything.”