Risky free VPNs still available in Apple App Store & Google Play despite warnings

By Malcolm Owen

Apple and Google are still allowing a number of potentially unsafe free VPN apps to be downloaded from respective app stores, despite warnings that many of the apps pose a privacy risk to consumers, primarily from the apps questionable ownership by Chinese organizations.

An investigation at the end of 2018 into a large number of free VPN applications offered on Apple's App Store for iOS as well as Google Play revealed over half of the most popular versions available to download were secretly owned by Chinese companies, or were based in China. Given China's censorious nature, as well as major control over how its citizens access the Internet, it was considered to be a risk to use the free VPNs in question.

At the time, it was also determined the majority of the apps examined had few formal privacy protections, and practically didn't offer user support at all. Apple and Google were both taken to task for allowing the apps into the digital storefronts, despite the inherent risks, but evidently the investigation wasn't enough.

In an August update to the investigation, privacy and security researcher Simon Migliano of Top10VPN.com revealed the advice from his widely-reported earlier investigations were ignored by both Apple and Google, with neither acknowledging the problem existed.

Both firms were advised 77% of the apps flagged as potentially unsafe in the earlier investigation still posed a risk, while a further 90% from another investigation into free VPNs on Android that were similarly flagged are also still a risk. Migliano also provided detailed lists of the potentially unsafe apps, links to app listings in stores, relevant research for each, and recommendations on how to improve the situation, but it is claimed neither Apple nor Google made any changes.

The apps are also becoming a far bigger problem, with approximately 3.8 million installations of the risky apps on iOS each month. It is suggested that, while the figure remains steady from the time of the first investigation, the 20% reduction in apps since the start of the year due to no longer being available means the number of downloads for still-available apps is increasing on per-app average.

On Google Play, the downloads have increased in number, with 214 million installations in six months representing an increase of 85%.

While China does not allow VPNs to be used in the country, with Apple taking down apps as part of a government crackdown in 2017, Migliano reasons the development of VPN apps for use by citizens in other countries gives China "potential access to the massive amounts of browsing data flowing through VPN networks," and in turn "huge amounts of foreign intelligence."

The ability to monitor the online activities of its citizens, as well as those of other countries via VPN app traffic, gives the Chinese government the opportunity to perform surveillance unencumbered, and with little need to actively hack organizations.

In June, it was revealed an operation from the Chinese government-backed group APT 10 allegedly gained high-level access to at least ten global telecoms carriers, allowing it to track spies, law enforcement, military personnel, and dissidents linked to China.

The report also notes 80% of the top free VPNs in the App Store are also breaching Apple's data sharing ban, a rule change from June that prohibited VPN apps from sharing data with third-party services. By flouting the ban, this can allow apps to gather more data than Apple has deemed it necessary to collect, and to ferry it back to an unknown third-party, which could easily be a government-controlled entity.

"Just as the harsh glare of suspicion is falling on Huawei's ties with the Chinese state, similar scrutiny should be applied to VPN services," Migliano insists. "It's unacceptable that Google and Apple are keeping their heads buried in the sand rather than weeding out any VPN operators that don't meet strict standards for integrity."