The Top10VPN publication, which reviews and verifies VPN services, tested 100 of the most popular free VPN applications for the Android platform, totaling more than 2.5 billion installations (for verification, 100 free VPN applications were taken, for which the largest number of downloads was recorded in the Google Play catalog). Key findings:
* 88 of the tested programs have certain problems that lead to information leaks. In 83 applications, leaks occurred due to accessing third-party DNS servers (not the servers of the VPN provider), for example, in 40 cases Google DNS was used, and in 14 cases Cloudflare was used. In 79 applications, the ability to send traffic bypassing the VPN was not excluded. In 17 applications, several types of leaks were detected at once (disclosure of the user's source IPv4 and IPv6 addresses to sites, leaks via DNS and WebRTC).
* Outdated pseudo-random number generators were detected in 11 applications. One of the apps didn't use any traffic encryption at all. 35 applications used outdated cryptographic algorithms (only 20 programs used reliable hashing methods). In 23 applications, at the stage of creating a VPN tunnel to access an external server, old versions of TLS (older than TLSv3) were allowed, and in 6 applications, SSLv2 was used.
* In 69 programs, excessive permissions were requested, for example, 20 applications required access to location data (ACCESS_*_LOCATION), 46-to the list of installed programs (QUERY_ALL_PACKAGES), 9-access to the phone state (READ_PHONE_STATE, among other things, allows you to find out IMEI and IMSI), 82-requested unique identifiers for identification in ad networks (ACCESS_ADVERTISEMENTS_ID), 10-tried to access the camera.
• 53 applications were found to use third-party proprietary features, for example, 13 programs used location tracking code, 31 - to get IDs for advertising networks, and 22-to check other installed applications. 80 programs used third-party libraries, including 15 using Bytedance (TikTok) libraries, and 11 using Yandex libraries.
* 84 apps included SDK components from marketing platforms or social networks, while 16 apps included 10 or more similar components.
• 32 apps were found to have access to hardware capabilities and sensors that could lead to privacy violations. For example, 15 applications access the camera, 7 access the microphone, and 14 access location mechanisms such as GPS, 14 access sensors (gyroscope, proximity sensor, etc.).
* 71 apps sent personal data to third-party services, such as Facebook (47), Yandex (13), and VK (11). 37 apps disclosed device IDs to third - party services, 23-IP addresses, and 61 - unique tracking identifiers. 19 apps sent telemetry with device and system information to the VPN provider's servers, and 56 sent it to third-party services such as Google (39), Facebook (17), and Yandex (9).
* Malware was detected in 19 applications when tested in the VirusTotal service, which uses more than 70 antivirus programs. In 18 applications, connection to domains was detected, and in 13 to IP addresses blacklisted by malicious hosts and addresses.
* 93 apps showed a discrepancy between the declared privacy labels and the actual state. 75 apps were incorrectly informed about the methods of collecting user data, 64 - about sending data to third-party services, and 32-about the security methods used. Of the 65 apps labeled "No Data Sharing", only 20 did not allow data to be sent to third-party services, and of the 32 apps labeled" No Data Collection", only two met the associated requirements.
* 88 of the tested programs have certain problems that lead to information leaks. In 83 applications, leaks occurred due to accessing third-party DNS servers (not the servers of the VPN provider), for example, in 40 cases Google DNS was used, and in 14 cases Cloudflare was used. In 79 applications, the ability to send traffic bypassing the VPN was not excluded. In 17 applications, several types of leaks were detected at once (disclosure of the user's source IPv4 and IPv6 addresses to sites, leaks via DNS and WebRTC).
* Outdated pseudo-random number generators were detected in 11 applications. One of the apps didn't use any traffic encryption at all. 35 applications used outdated cryptographic algorithms (only 20 programs used reliable hashing methods). In 23 applications, at the stage of creating a VPN tunnel to access an external server, old versions of TLS (older than TLSv3) were allowed, and in 6 applications, SSLv2 was used.
* In 69 programs, excessive permissions were requested, for example, 20 applications required access to location data (ACCESS_*_LOCATION), 46-to the list of installed programs (QUERY_ALL_PACKAGES), 9-access to the phone state (READ_PHONE_STATE, among other things, allows you to find out IMEI and IMSI), 82-requested unique identifiers for identification in ad networks (ACCESS_ADVERTISEMENTS_ID), 10-tried to access the camera.
• 53 applications were found to use third-party proprietary features, for example, 13 programs used location tracking code, 31 - to get IDs for advertising networks, and 22-to check other installed applications. 80 programs used third-party libraries, including 15 using Bytedance (TikTok) libraries, and 11 using Yandex libraries.
* 84 apps included SDK components from marketing platforms or social networks, while 16 apps included 10 or more similar components.
• 32 apps were found to have access to hardware capabilities and sensors that could lead to privacy violations. For example, 15 applications access the camera, 7 access the microphone, and 14 access location mechanisms such as GPS, 14 access sensors (gyroscope, proximity sensor, etc.).
* 71 apps sent personal data to third-party services, such as Facebook (47), Yandex (13), and VK (11). 37 apps disclosed device IDs to third - party services, 23-IP addresses, and 61 - unique tracking identifiers. 19 apps sent telemetry with device and system information to the VPN provider's servers, and 56 sent it to third-party services such as Google (39), Facebook (17), and Yandex (9).
* Malware was detected in 19 applications when tested in the VirusTotal service, which uses more than 70 antivirus programs. In 18 applications, connection to domains was detected, and in 13 to IP addresses blacklisted by malicious hosts and addresses.
* 93 apps showed a discrepancy between the declared privacy labels and the actual state. 75 apps were incorrectly informed about the methods of collecting user data, 64 - about sending data to third-party services, and 32-about the security methods used. Of the 65 apps labeled "No Data Sharing", only 20 did not allow data to be sent to third-party services, and of the 32 apps labeled" No Data Collection", only two met the associated requirements.
