Study finds 53% of paid Android VPNs leak user data

A new study by Top10VPN.com reveals that over half of paid Android VPN applications leak user data.

Top10VPN.com, led by Simon Migliano, Head of Research, conducted an analysis of 30 popular paid VPN apps available on the Google Play Store. These apps, which have been installed over 732 million times globally, showed concerning levels of security vulnerabilities.

The study's findings indicate that 53% of the tested services are leaking user data. A significant issue identified was the failure to implement Server Name Indication (SNI) encryption, a shortcoming present in 50% of the VPNs, which exposes users' VPN activities to potential surveillance.

In addition, 23% of the applications were found to leak DNS requests under specific conditions, compromising user privacy. This same percentage of VPNs also utilised third-party DNS servers, potentially allowing external entities to monitor user activity.

The research uncovered that some services exhibited risky data practices, with three VPN providers sharing or exposing personal data in ways that jeopardise user privacy. "Our research indicates that even paid VPN services, which users trust to safeguard their online privacy, are not immune to significant security flaws," said Simon Migliano. "It's alarming that half of these services expose VPN usage due to inadequate SNI encryption, undermining the very purpose of using a VPN."

Migliano expressed surprise at the number of paid VPN services outsourcing DNS resolution to third parties. He said, "A log of their DNS queries can reveal a lot about a person's interests, political leanings, and any health or financial concerns, and so should be kept private."

On a more positive note, Migliano highlighted that no paid VPN leaked IPv4 or IPv6 data in the tests, a contrast to 11% of free VPN apps. "While there's room for improvement, many paid VPNs are completely safe and far more secure than their free counterparts, almost 90% of which leak data," he stated.

The study utilised comprehensive testing methods to assess various VPN security aspects. It found that 16 out of the 30 analysed VPNs exhibited some form of data leakage. Specifically, 15 VPNs exposed users' VPN usage due to lack of SNI encryption, while seven leaked DNS requests under certain conditions.

Security standards were also assessed, with over a quarter (27%) of VPNs not using the strongest encryption protocols, potentially compromising data security. The study identified Avira Phantom as the most insecure due to its use of the outdated SSLv2 protocol.

Issues with VPN tunnel stability were observed in nine VPNs, indicating intermittent protection that could result in potential data exposure. Moreover, six VPNs requested high-risk permissions, such as access to location and camera, without clear justification.

Four VPNs declared potentially risky hardware usage without software functionalities justifying such access, and seven included tracking code from advertisers and data brokers. Notably, Hotspot Shield, VPN Unlimited, and FastestVPN were observed actively sharing or exposing personal data. FastestVPN, in particular, was the worst offender, exposing users' email addresses in headers of unencrypted server requests to a geolocation API.

"Users often assume that paying for a VPN guarantees robust security and privacy," Migliano said. "However, our findings suggest that this is not always the case. It's crucial for consumers to be aware of these vulnerabilities and make informed decisions when selecting a VPN service."

The research offers several recommendations for consumers, advising them to thoroughly research VPN providers, verify encryption standards, monitor permissions, and stay informed on VPN security updates.

"Our goal is to empower users with the knowledge needed to protect their online privacy effectively," said Migliano. "By highlighting these issues, we hope to encourage VPN providers to enhance their security measures and uphold the trust that users place in them."