Why You Should Avoid Free Android VPNs

Free VPN Android apps aren't getting any cleaner or safer, a new study that looked at 150 VPN apps in Google Play concludes.

Credit: Edaccor/Shutterstock

(Image credit: Edaccor/Shutterstock)

"More than 25 percent failed to protect user privacy due to DNS leaks," says a blog posting Monday (Jan. 21) by Tom Migliano, head of research at Top10VPN.com, which conducted the survey. "We also found 85 percent featured questionable permissions or functions buried in their source code that could potentially be used to spy on users."

To be fair, Top10VPN.com makes money by getting a small commission every time someone subscribes to a paid VPN service through the website. (Tom's Guide does this too.) But the findings line up with those from a scientific survey conducted two years ago by researchers Australia's CSIRO research agency and the University of California, Berkeley.

"None of these risky permissions or functions are to be found in the leading paid-for VPN apps, which closes the door to any potential privacy abuses," Migliano noted.

Overall, this reinforces our conclusion that no wholly free VPNs are worth trying. But some free plans or tiers offered by paid VPN providers are worth using, as long as you accept their limitations.

MORE: Best VPN

The Top10VPN study found fault with three freemium VPN services we've recommended: Hotspot Shield (which has two VPN apps), Speedify and Windscribe. Fortunately, all of the issues were explained by the vendors to Top10VPN's satisfaction. A fourth freemium service we review, TunnelBear, had zero problematic issues.

Hotspot Shield

Hotspot Shield's two apps -- there's an entirely free one, and then another one that can be upgraded to paid service -- can both read your phone number and write to external storage such as an SD card, Top10VPN said. The upgradeable app also can get the phone's last known location, kill background processes and execute system commands, which could let it track users or turn off antivirus software.

However, "Hotspot Shield provided a very detailed response" when Top10VPN reached out for comment, and the report says that "Hotspot Shield Free takes appropriate steps to mitigate the risks associated with the permissions and functions identified above."

Speedify

Similarly, Speedify's Android app could read the device's phone number, access the location and execute commands. But Speedify killed the phone-number function after being contacted by Top10VPN, and explained the other issues.

"We were impressed at this provider's willingness to engage with our findings and quickly remove any unnecessary risky functions," the report said.

Windscribe

Windscribe didn't have any intrusive permissions, but Top10VPN found that it could access the phone's last known location and excecute system commands. Windscribe responded that those were necessary to locate safe Wi-Fi hotspots and to use the OpenVPN protocol.

Top10VPN accepted these as "perfectly reasonable uses of these functions" and added that "Windscribe avoids the typical problems associated with ad-supported apps and is among the best services of its kind."

Other VPNs

Many other VPN apps, none of which Tom's Guide recommends, had more serious issues, including getting the user's exact geographic location and leaking the user's true IP address.

Among those we'd heard of, Hola VPN, which is often criticized by VPN experts over privacy and security concerns, was found by Top10VPN to leak the user's IP address via DNS requests and the WebRTC browser function. An attacker could use either to locate you, even if you were connected to Hola VPN.

The Hola VPN app can also get your precise location, write to external storage and get the device phone number. When asked about these by Top10VPN, Hola VPN "provided a swift response that was rather lacking in detail."

"These are weak justifications for these combinations of intrusive permissions and risky functions," Top10VPN said.

Betternet VPN, which shares a parent company with Hotspot Shield, was found to write to external storage, which other apps explained to Top10VPN's satisfaction. However, Betternet sent Top10VPN only a "canned response" when asked, which Top10VPN found to be "an incredibly disrespectful way to treat the issue of user privacy."

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
Computer with warning image being magnified
This VPN sells access to people's home internet networks
VPN app on mobile phone
Are VPNs safe?
Woman using a free VPN on a mobile device, in front of a laptop
The best free VPN in 2025
Free iPhone VPN
Best free iPhone VPN app in 2025
A mobile VPN app on a smartphone
The best mobile VPN apps in 2025
Best Android VPN ExpressVPN connected to a USA server on an Android device
The best Android VPN in 2025
Latest in Android Phones
Samsung Galaxy S25 Ultra vs S25 Plus vs S25
Satellite messaging on Google Pixel 9 and Samsung Galaxy S25 just landed on 3 more carriers
back of Iris Pixel 9a
The Google Pixel 9a is lacking one of the Pixel 9’s best safety features — here’s what we know
vivo x200 ultra camera array
Vivo’s next premium phone could have a camera unlike anything we’ve seen before — here’s how
Google Pixel 9a with thumbs up and thumbs down icons
Google Pixel 9a — 5 reasons to buy and 3 reasons to skip
Pixel 9 Pro XL held in the hand with price drop badge.
Not a typo! This epic deal makes the flagship Pixel 9 Pro XL the same price as the budget Pixel 9a
Google Pixel 9a hands-on.
Pixel 9a’s on-device AI isn’t as good as the Pixel 9 — here’s what’s different
Latest in News
iPhone 17 Air render
New survey of iPhone users could be bad news for iPhone 17 Air — here's why
Segway g30lp
Segway recalls 220,000 electric scooters - what to do if yours is on the list
Samsung Galaxy S25 Ultra vs S25 Plus vs S25
Satellite messaging on Google Pixel 9 and Samsung Galaxy S25 just landed on 3 more carriers
L-R: Claude (Marco Calvani), Danny (Colman Domingo), Kate (Tina Fey) and Jack (Will Forte) have their bags packed for Netflix's "The Four Seasons"
Netflix just teased a new comedy series starring Tina Fey, Steve Carrell and Colman Domingo — and we already have a release date
back of Iris Pixel 9a
The Google Pixel 9a is lacking one of the Pixel 9’s best safety features — here’s what we know
Razer Blade
Nvidia's DLSS 4 demo in a Razer Blade 16 with RTX 5090 gives me hope again for next-gen gaming laptops
  • king47915
    Paid ones doesn't?
    Reply
  • Paul Wagenseil
    21710973 said:
    Paid ones doesn't?

    Not according to the researchers.
    Reply
  • s89lambert
    Hello guys. I want to advice you great vpn application - Veepn. It is exactly the case, when the price matches quality. You should try it.
    Reply