Are Free VPN Apps Worth the Risk? Experts Say 'No'
The Google Play app store holds about 250 Android apps that provide access to virtual private network (VPN) services.
The bad news? Many of these VPN apps could actually be sabotaging your security and privacy. A recent study by U.S. and Australian researchers found that many Android VPN apps were potentially malicious, let third parties spy on "secure" transmissions, tracked users or just plain didn't work.
Credit: Kevin Frayer/Getty
It might be easy to disregard all VPN apps, clients and services as too risky. But would that be a fair assessment? A number of free VPN apps and services are offered by reputable antivirus companies and desktop VPN providers, although most of those have some level of paid service. With that in mind, are any free VPN services worth the potential security risks?
It depends, said Joe Carson, chief security scientist with Thycotic, an information-security provider based in Washington, D.C.
"VPNs are safer than doing nothing," Carson said. But he added that if you are trying out a new VPN service or app, you have to do your homework.
That includes investigating the origin of the VPN service — you probably want to skip any from China, Russia or other countries with a dubious security history, Carson said — and sticking with vendors you are familiar with and trust. (Some privacy experts put the United States on that list of untrustworthy countries, a fair argument given the scope of the NSA surveillance tools leaked by Edward Snowden.)
Nothing is ever really free
However, Ryan O'Leary, vice president of the Threat Research Center at WhiteHat Security in Santa Clara, California, is more skeptical.
"I don't think VPN apps are secure, especially free ones," O'Leary said. "The lower the cost of the app, the greater the chance they have security problems."
App developers want to make money, he said, but on a VPN app, you can't really be sure how that's happening.
"At best," O'Leary said, "they are using ads to earn income. At worst, they are selling your private information."
"The lower the cost of the app, the greater the chance they have security problems." -- Ryan O'Leary, Threat Research Center at WhiteHat Security
In fact, he said, "free" should be a red flag when it comes to VPN apps and services. Unscrupulous app developers may utilize users as end points or for extra bandwidth to support other customers.
"It's expensive to run a VPN," O'Leary said. "There's a good chance that someone else is using your connection."
The most serious risk of free VPN apps is that you may lose control of your data. A VPN service is supposed to encrypt your data stream from your device all the way to the service's servers, at which point it enters the open internet. But a shady or poorly configured service could compromise your traffic, either by design or by accident, or could even piggyback on your encrypted connection for nefarious purposes.
"Your data could be intercepted or decrypted," said Mat Gangwer, chief technology officer with Rook Security in Indianapolis. "Bad guys could be using your connection for shady activities or to cover their tracks."
How to pick a VPN app
Are free VPN apps and services worth that risk? The experts agree: No, unless you are confident the free app is extremely trustworthy.
If you can find a paid VPN app, or one that has in-app purchases for higher levels of service, consider that option instead. We recently reviewed several VPN apps and services, and the paid Private Internet Access ($7 per month or $40 yearly) took the top spot. The runner-up option, CyberGhost, is also paid at $60 per year.
Paid doesn't guarantee secure, but even partially paid apps are often more protective of your data and give more software updates than free options.
Better yet, stick with apps made by well-known desktop VPN service providers or antivirus-software makers. All will include in-app purchases, or some other kind of paid subscription, to use the higher tiers of service, but many will give you a certain amount of free VPN usage per month.
"Bad guys could be using your connection for shady activities or to cover their tracks." -- Mat Gangwer, chief technology officer with Rook Security
Reputable partly-free VPN services include CyberGhost, Avast's SecureLine VPN and Avira's Phantom VPN. There's also F-Secure's Freedome VPN; it costs $6 per month to use, but was singled out as being especially trustworthy by the authors of the VPN-app research paper we mentioned earlier.
However, if you still want to use a completely free VPN app, do your research, the experts advised. Investigate the service provider's reputation, and see where it is located. Some are based in offshore banking havens such as Panama and the British Virgin Islands, which may be great if you want to hide money, but might not be so great if you're unhappy with your VPN service and want your money back.
Question the permissions requested by the app — for example, would a VPN app really need permission to access your phone number or text messages? Read user reviews, especially the less-than-stellar ones, to find out which problems and concerns other users had.
"When done correctly, VPNs are a good option," said O'Leary. "But never forget that, in the end, you get what you pay for."