The Google Play app store holds about 250 Android apps that provide access to virtual private network (VPN) services.
The bad news? Many of these VPN apps could actually be sabotaging your security and privacy. A recent study by U.S. and Australian researchers found that many Android VPN apps were potentially malicious, let third parties spy on "secure" transmissions, tracked users or just plain didn't work.
Credit: Kevin Frayer/Getty
It might be easy to disregard all VPN apps as too risky. But would that be a fair assessment? A number of free VPN apps are offered by reputable antivirus companies and desktop VPN providers, although most of those have some level of paid service. With that in mind, are free VPN apps worth the potential security risks?
It depends, said Joe Carson, chief security scientist with Thycotic, an information-security provider based in Washington, D.C.
"VPNs are safer than doing nothing," Carson said. But he added that if you are downloading an Android app, you have to do your homework.
That includes investigating the origin of the VPN app — you probably want to skip any from China, Russia or other countries with a dubious security history, Carson said — and sticking with vendors you are familiar with and trust.
Nothing is ever really free
However, Ryan O'Leary, vice president of the Threat Research Center at WhiteHat Security in Santa Clara, California, is more skeptical.
"I don't think VPN apps are secure, especially free ones," O'Leary said. "The lower the cost of the app, the greater the chance they have security problems."
App developers want to make money, he said, but on a VPN app, you can't really be sure how that's happening.
"At best," O'Leary said, "they are using ads to earn income. At worst, they are selling your private information."
"The lower the cost of the app, the greater the chance they have security problems." -- Ryan O'Leary, Threat Research Center at WhiteHat Security
In fact, he said, "free" should be a red flag when it comes to VPN apps. Unscrupulous app developers may utilize users as end points or for extra bandwidth to support other customers.
"It's expensive to run a VPN," O'Leary said. "There's a good chance that someone else is using your connection."
The most serious risk of free VPN apps is that you may lose control of your data. A VPN service is supposed to encrypt your data stream from your device all the way to the service's servers, from where it enters the open internet. But a shady or poorly configured service could compromise your traffic, either by design or by accident, or could even piggyback on your encrypted connection for nefarious purposes.
"Your data could be intercepted or decrypted," said Mat Gangwer, chief technology officer with Rook Security in Indianapolis. "Bad guys could be using your connection for shady activities or to cover their tracks."
How to pick a VPN app
Are free VPN apps worth that risk? The experts agree: No, unless you are confident the free app is extremely trustworthy.
If you can find a paid VPN app, or one that has in-app purchases for higher levels of service, consider that option instead. We recently reviewed several VPN apps and services, and the paid IPVanish ($10 per month or $78 yearly) took the top spot. The runner-up option, Avast Secureline VPN, is also paid at $59.99 per year.
Paid doesn't guarantee secure, but even partially paid apps are often more protective of your data and give more software updates.
Better yet, stick with apps made by well-known desktop VPN service providers or antivirus software makers. All will include in-app purchases, or some other kind of paid subscription, to use the higher tiers of service, but many will give you a certain amount of free VPN usage per month.
"Bad guys could be using your connection for shady activities or to cover their tracks." -- Mat Gangwer, chief technology officer with Rook Security
Reputable partly free VPN services include Avast's SecureLine VPN and Avira's Phantom VPN There's also F-Secure's Freedome VPN; it costs $6 per month to use, but was singled out as being especially trustworthy by the authors of the VPN-app research paper we mentioned earlier.
However, if you still want to use a completely free VPN app, do your research, the experts advised. Investigate the vendor's reputation, and see where it is located. Question the permissions requested by the app – for example, would a VPN app really need permission to access your phone number or text messages? Read user reviews, especially the less-than-stellar ones, to find out which problems and concerns other users had.
"When done correctly, VPNs are a good option," said O'Leary. "But never forget that, in the end, you get what you pay for."