Free VPN Android apps aren't getting any cleaner or safer, a new study that looked at 150 VPN apps in Google Play concludes.
"More than 25 percent failed to protect user privacy due to DNS leaks," says a blog posting Monday (Jan. 21) by Tom Migliano, head of research at Top10VPN.com, which conducted the survey. "We also found 85 percent featured questionable permissions or functions buried in their source code that could potentially be used to spy on users."
To be fair, Top10VPN.com makes money by getting a small commission every time someone subscribes to a paid VPN service through the website. (Tom's Guide does this too.) But the findings line up with those from a scientific survey conducted two years ago by researchers Australia's CSIRO research agency and the University of California, Berkeley.
"None of these risky permissions or functions are to be found in the leading paid-for VPN apps, which closes the door to any potential privacy abuses," Migliano noted.
Overall, this reinforces our conclusion that no wholly free VPNs are worth trying. But some free plans or tiers offered by paid VPN providers are worth using, as long as you accept their limitations.
MORE: Best Free VPN Services
The Top10VPN study found fault with three freemium VPN services we've recommended: Hotspot Shield (which has two VPN apps), Speedify and Windscribe. Fortunately, all of the issues were explained by the vendors to Top10VPN's satisfaction. A fourth freemium service we review, TunnelBear, had zero problematic issues.
Hotspot Shield's two apps -- there's an entirely free one, and then another one that can be upgraded to paid service -- can both read your phone number and write to external storage such as an SD card, Top10VPN said. The upgradeable app also can get the phone's last known location, kill background processes and execute system commands, which could let it track users or turn off antivirus software.
However, "Hotspot Shield provided a very detailed response" when Top10VPN reached out for comment, and the report says that "Hotspot Shield Free takes appropriate steps to mitigate the risks associated with the permissions and functions identified above."
Similarly, Speedify's Android app could read the device's phone number, access the location and execute commands. But Speedify killed the phone-number function after being contacted by Top10VPN, and explained the other issues.
"We were impressed at this provider's willingness to engage with our findings and quickly remove any unnecessary risky functions," the report said.
Windscribe didn't have any intrusive permissions, but Top10VPN found that it could access the phone's last known location and excecute system commands. Windscribe responded that those were necessary to locate safe Wi-Fi hotspots and to use the OpenVPN protocol.
Top10VPN accepted these as "perfectly reasonable uses of these functions" and added that "Windscribe avoids the typical problems associated with ad-supported apps and is among the best services of its kind."
Many other VPN apps, none of which Tom's Guide recommends, had more serious issues, including getting the user's exact geographic location and leaking the user's true IP address.
Among those we'd heard of, Hola VPN, which is often criticized by VPN experts over privacy and security concerns, was found by Top10VPN to leak the user's IP address via DNS requests and the WebRTC browser function. An attacker could use either to locate you, even if you were connected to Hola VPN.
The Hola VPN app can also get your precise location, write to external storage and get the device phone number. When asked about these by Top10VPN, Hola VPN "provided a swift response that was rather lacking in detail."
"These are weak justifications for these combinations of intrusive permissions and risky functions," Top10VPN said.
Betternet VPN, which shares a parent company with Hotspot Shield, was found to write to external storage, which other apps explained to Top10VPN's satisfaction. However, Betternet sent Top10VPN only a "canned response" when asked, which Top10VPN found to be "an incredibly disrespectful way to treat the issue of user privacy."