Why You Should Avoid Free Android VPNs

Free VPN Android apps aren't getting any cleaner or safer, a new study that looked at 150 VPN apps in Google Play concludes.

Credit: Edaccor/Shutterstock

(Image credit: Edaccor/Shutterstock)

"More than 25 percent failed to protect user privacy due to DNS leaks," says a blog posting Monday (Jan. 21) by Tom Migliano, head of research at Top10VPN.com, which conducted the survey. "We also found 85 percent featured questionable permissions or functions buried in their source code that could potentially be used to spy on users."

To be fair, Top10VPN.com makes money by getting a small commission every time someone subscribes to a paid VPN service through the website. (Tom's Guide does this too.) But the findings line up with those from a scientific survey conducted two years ago by researchers Australia's CSIRO research agency and the University of California, Berkeley.

"None of these risky permissions or functions are to be found in the leading paid-for VPN apps, which closes the door to any potential privacy abuses," Migliano noted.

Overall, this reinforces our conclusion that no wholly free VPNs are worth trying. But some free plans or tiers offered by paid VPN providers are worth using, as long as you accept their limitations.

MORE: Best VPN

The Top10VPN study found fault with three freemium VPN services we've recommended: Hotspot Shield (which has two VPN apps), Speedify and Windscribe. Fortunately, all of the issues were explained by the vendors to Top10VPN's satisfaction. A fourth freemium service we review, TunnelBear, had zero problematic issues.

Hotspot Shield

Hotspot Shield's two apps -- there's an entirely free one, and then another one that can be upgraded to paid service -- can both read your phone number and write to external storage such as an SD card, Top10VPN said. The upgradeable app also can get the phone's last known location, kill background processes and execute system commands, which could let it track users or turn off antivirus software.

However, "Hotspot Shield provided a very detailed response" when Top10VPN reached out for comment, and the report says that "Hotspot Shield Free takes appropriate steps to mitigate the risks associated with the permissions and functions identified above."

Speedify

Similarly, Speedify's Android app could read the device's phone number, access the location and execute commands. But Speedify killed the phone-number function after being contacted by Top10VPN, and explained the other issues.

"We were impressed at this provider's willingness to engage with our findings and quickly remove any unnecessary risky functions," the report said.

Windscribe

Windscribe didn't have any intrusive permissions, but Top10VPN found that it could access the phone's last known location and excecute system commands. Windscribe responded that those were necessary to locate safe Wi-Fi hotspots and to use the OpenVPN protocol.

Top10VPN accepted these as "perfectly reasonable uses of these functions" and added that "Windscribe avoids the typical problems associated with ad-supported apps and is among the best services of its kind."

Other VPNs

Many other VPN apps, none of which Tom's Guide recommends, had more serious issues, including getting the user's exact geographic location and leaking the user's true IP address.

Among those we'd heard of, Hola VPN, which is often criticized by VPN experts over privacy and security concerns, was found by Top10VPN to leak the user's IP address via DNS requests and the WebRTC browser function. An attacker could use either to locate you, even if you were connected to Hola VPN.

The Hola VPN app can also get your precise location, write to external storage and get the device phone number. When asked about these by Top10VPN, Hola VPN "provided a swift response that was rather lacking in detail."

"These are weak justifications for these combinations of intrusive permissions and risky functions," Top10VPN said.

Betternet VPN, which shares a parent company with Hotspot Shield, was found to write to external storage, which other apps explained to Top10VPN's satisfaction. However, Betternet sent Top10VPN only a "canned response" when asked, which Top10VPN found to be "an incredibly disrespectful way to treat the issue of user privacy."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.