Months ago, we told readers about the importance of using a VPN on their iPhones, and while those lessons do apply to Android devicesâa VPN for Android will encrypt your Androidâs web activity and app traffic, and it will stop your mobile carrier from monetizing your dataâAndroid users should caution against one particular risk: That of the free VPN app.
In just the past year, free VPN for Android apps have exposed the data of as many as 41 million users, revealing consumersâ email addresses, payment information, clear text passwords, device IDs, and more. Investigations into one of those free VPN Android apps also revealed that it may have been part of a larger web of Android VPNs all operating under the same companyâa company that was nearly impossible to reach for customer support, borrowed liberally from other company privacy policies, and failed to meet its promises to keep âno logsâ of user activity. And while poorly built VPNs are not reserved only for Android devices, Android users in particular should wade cautiously through the Google Play Store, where countless VPN apps demarcate themselves under bland terminology such as âultimate,â âsuper,â âfast,â and, of course, âfree.â
In reality, a secure, trustworthy VPN Android app is rarely, if ever, free, and thatâs largely because the actual work that goes into running a secure VPN service costs money. As Malwarebytes senior security research JP Taggart said on our podcast Lock and Code:
âDeploying a VPN service is, you know, it requires infrastructure. It requires servers, it requires staff, it requires coders to make sure that itâs done properly or that itâs done the way you want it to work,â Taggart said. âAll of that has to be paid. All these people that work on [the VPN service], nobody is going to do it for free. No one is that altruistic.â
There is no best free VPN for Android
Searching for a VPN app shouldnât be so hard, but it is. A quick query in the Google Play store conjures up at least 250 results, and, without any knowledge of the VPN industry, it can be difficult to know which app to trust. For users taking their first steps into learning about VPNs, the temptation to download any of the countless free VPN Android apps is high.
But some of those free apps are the same ones with a poor track record of protecting user data.
In February of this year, a cybercriminal claimed to have stolen user data from three, separate VPN apps available on the Google Play Store: SuperVPN, GeckoVPN, and ChatVPN. The cybercriminal said on an online hacking forum that theyâd managed to swipe email addresses, usernames, full names, country names, randomly generated password strings, payment-related data, and whether a user was a âPremiumâ member, along with that âPremiumâ membershipâs expiration date. Follow-on reporting from the tech outlet CyberNews also revealed that the stolen data included device serial numbers, phone type and manufacturer information, device IDs, and device IMSI numbers.
The impact of such a data breach is hard to measure, because it goes beyond just the harm caused to the victims. At risk here is also the trust that users are expected to place in a service that is specifically advertised as a privacy and security measure.
Troy Hunt, the founder of the data breach website HaveIBeenPwned, called the breach âa messâ on Twitter, saying that it was a âtimely reminder of why trust in a VPN provider is so crucial.â
âThis level of logging isn’t what anyone expects when using a service designed to *improve* privacy,â Hunt said, ânot to mention the fact they then leaked all the data.â
But for one of the VPN Android apps, SuperVPN, it was actually the second time it had been named in a cybersecurity mishap.
In July, 2020, cybersecurity researchers at vpnMentor published a report that showed that seven VPN Android apps had left 1.2 terabytes of private user data exposed online. According to the report, the data belonged to as many as 20 million users, and it included email addresses, clear text passwords, IP addresses, home addresses, phone models, device IDs, and Internet activity logs.
Particularly upsetting in this discovery was the fact that all of the seven VPN Android apps had promised to keep âno logsâ of user activityâa provably false claim since vpnMentor actually found user logs in its research. The VPNs named in the report were UFO VPN, Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN.
In its investigation, vpnMentor also proposed that the seven VPN Android apps were likely made by the same developer, as the VPN services shared a common Elasticsearch server, along with the same payment recipient, Dreamfii HK Limited. Three of the VPN apps also featured branding and website layouts that looked similar to one another.
These are known privacy and security failures, and they just so happen to afflict free VPN for Android apps. A free VPN may cost nothing out of your pocket, but it could cost your privacy a lot more.
We canât tell you the best VPN for Android, free or not free
Weâve told you the bad newsâfree Android VPNs are too big a risk to take. Now, understandably, you might ask about the good newsâwhat VPN Android app should I use?
Unfortunately, we canât recommend any VPN Android app, and thatâs because what VPNs offerâ which are varying privacy protectionsâare not uniformly valuable to every user.
For instance, for users who want to protect their Internet activity while connecting to a public WiFi hotspot, VPNs offer a strong solution to that, as VPN services encrypt web traffic and make it incomprehensible to digital eavesdroppers. Also, for users who want to access content that is geo-restricted, VPNs also offer a helpful workaround, as they can make a userâs Internet traffic appear as though it is originating from another location.
But where VPN value starts to differentiate is in the realm of privacy, and thatâs because, as weâve learned in recent years, privacy could mean something different for every user. For some users, privacy might mean hiding their Internet traffic from their Internet Service Provider, which a VPN can do. But for other users, privacy might mean keeping their sensitive data from todayâs enormous social media companies, which a VPN cannot do. Or it might mean stopping cross-site tracking across the Internet, which, again, a VPN cannot do.
But do not worry if youâre still looking for help, because we can recommend the same advice we did earlier this year for anyone looking for the right VPN for themselves.
Think about how youâll use the VPN service and look for a variety of features, like the ease of use, the connection speed, any potential data limits, the availability of customer support, and the VPNâs policy on keeping user logs. With the right info, youâll be protecting yourself in no time.
Just remember, if youâre willing to take your privacy seriously, you should also be willing to spend a little money on it.
