Free VPNs: Hundreds of Options, Little Real Privacy

Hundreds of free VPN apps may be making it harder for users to protect their privacy. A new analysis from Zimperium’s zLabs looked at nearly 800 free VPN apps on both the Android and iOS app stores to see if they’re safe to use, only to discover serious privacy and security problems that leave some users already infected by malware serving as “secondary endpoints.” The result: Most of these “free” offerings provide little to no real privacy. If you snapped up a no-cost VPN from the likes of Google Play or the App Store, good for you, but you’re probably at risk even if you don’t know it yet.

What 800 Free VPN Apps Revealed About the Worst of Their Kind

Problems were divided into five categories and the hit rate was high. Risk behavior or insecure APIs were detected in over 65% of the apps. Examples of such issues were: being able to secretly take screenshots of the UI, launching activities in insecure ways that could be hijacked, and opening exported content providers that leak information or allow privilege escalation. That said, theoretically this could still pave the way for a nefarious app that lives on the same device to piggyback off these flaws and slurp up information.

Permissions were another red flag. Some 41 percent asked for access that exceeded whatever legitimate function a VPN should be expected to perform — like serving as an Android account authenticator or requesting the capability to record audio, no doubt making some users ask why more than half of all VPN requests had audial components when it wasn’t needed by any party. (Other overly broad permissions included permission to log what you’re doing and where you currently are at all times even when the software isn’t in use, or the ability to “read logs,” which would contain, well, your recent actions and system events and app activity.) Real apps almost never need to see device-wide logs and the mere presence of such requests is a pretty noisy signal.

On iOS, 30 apps requested private entitlements — access to features outside normal developer tooling. That heightens the possibility of calling upon private APIs or stealing information, particularly when exploited in conjunction with other vulnerabilities. A long tail of outdated third-party libraries was also found by researchers. In a few cases, apps came bundled with vulnerable OpenSSL code, making them susceptible to the notorious Heartbleed flaw — a preventable error that speaks of lackluster maintenance.

Some fared not much better in communication security. About 1% of the apps had major vulnerabilities open to man-in-the-middle interception, which means that the magic secure tunnel a VPN is meant to create could be easily collapsed. A VPN that can be silently intercepted doesn’t just provide a false sense of security; it actually increases the risk — because users might take more risks of their own if they think they’re protected.

Privacy Labels and the App Store Compliance Gap

Privacy labels and manifests also frequently did not align with the actual behavior on iOS, zLabs discovered. Apple’s guidelines stipulate the need for accurate disclosures and justifications of access to sensitive APIs, and the researchers found a troubling amount of deviation. In one in four mislabeled apps, no valid privacy manifest existed. For consumers, that gulf makes it more difficult to determine what data is collected and why.

A Pattern Evident in Previous Independent Studies

The findings mirror previous academic research that charted obscured connections between free VPN brands and detailed technical shortcuts, such as hard-coded credentials and weak encryption. Research from groups like CSIRO’s Data61 and university collaborators have already demonstrated that free VPNs often include third-party trackers, request unsafe permissions and fail to properly encrypt users’ traffic. The throughline in these studies is clear: A free label often obscures a business model based on data harvesting and permissive engineering practices.

Why Free Often Means You’re the Product, Not the Customer

It is expensive to operate a VPN you can trust. It needs fleets of physical and virtual servers, high-bandwidth transit, constant patching, auditing and round-the-clock monitoring. If an app isn’t charging you, it has to eat those costs with adware SDKs, marketplace data sharing deals or dark patterns that pull money out of your behaviors. That incentive misalignment is part of the reason why so many free VPNs ask for dubious permissions and use shady libraries. The economics are not in your favor when it comes to privacy.

How to Verify Your VPN Before It Verifies You

Seek recent, scope-complete independent audits from reputable firms including apps, servers, and logging claims (rather than marketing copy telling you that they’re “no-logs”). Easier to verify: Services that open-source their clients and regularly publish transparency reports. Protocols matter as well: contemporary choices such as WireGuard, or a correctly set up OpenVPN, are safer bets than proprietary or aged stacks.

Be on the lookout for apps on Android that offer account authenticator permissions, background location acceptance or system log access. On iOS, scrutinize privacy labels but understand they might be incomplete; cross-reference with what the app actually does. Stay away from VPNs that serve ads into browser traffic or which provide big-data user tracking with unrelated broad device-level permissions. A kill switch, DNS leak protection, and first-party or well-documented DNS resolvers are signs of a mature service.

If you’re forced to go with a free option, try popular “freemium” offerings that limit your data while continuing to put in place transparent security practices or rely on established community-reviewed projects. And overall, uninstall any VPN that hasn’t been updated in a while, comes with outdated libraries or acts in any way concerningly vague about what logs it keeps.

The Bottom Line for Your Privacy and VPN Choices

The zLabs report is a reminder that a VPN is only going to be as private as its code, configuration, and incentives. Many free apps fall short on all three. If your VPN service asks for invasive permissions, obscures how it secures or shares your data, or can’t explain who owns and runs the business behind its products, then it’s likely selling you a privacy placebo. The best thing to do is select a provider that demonstrates, rather than promises, protection.