Redazione RHC : 9 October 2025 07:32
Millions of people use mobile VPNs to hide their traffic, bypass blocks, and browse the web securely. Research by Zimperium zLabs revealed that a significant number of free apps not only fail to provide effective protection, but also create new risks . The team analyzed nearly 800 free VPNs for Android and iOS and observed consistent behavior across many apps.
They offer little privacy, require unnecessary and dangerous permissions, leak data, and use outdated code. With BYOD policies, this is no longer a common occurrence, but a corporate security vulnerability , as even a popular client can become a weak link and leak sensitive data.
A VPN should encrypt the channel between your device and the remote server . This hides your true IP address and makes traffic interception much more difficult. Ideally, it should be like a letter in a sealed envelope, not a postcard. The problem is that some applications have cracks in the envelope, and some are even tampered with during delivery.
The most alarming observation concerns third-party libraries. Developers continue to integrate old components with long-known critical bugs. Three applications were discovered containing an old build of OpenSSL with the Heartbleed vulnerability, identified as CVE-2014-0160. This vulnerability allows remote memory access and the exfiltration of encryption keys, passwords, and other secrets. More than a decade has passed, patches exist, yet these versions are still being released. This is indicative of poor development hygiene and disregard for user data.
The communication channel isn’t the best either. Approximately 1% of tested clients were vulnerable to man-in-the-middle attacks. This involves improper certificate validation. The application accepts a fake certificate, establishes a seemingly secure connection with the attacker, and then forwards the traffic for further analysis. The user is confident that everything is fine, the server doesn’t notice, yet the data still manages to fall into the wrong hands.
A separate transparency issue has emerged on iOS. Apple requires data collection and use to be transparently disclosed in the app profile and through the privacy manifesto. Research shows that formal declarations often don’t align with actual operational logic. A quarter of apps don’t even contain an adequate privacy manifesto. For software that promises anonymity and confidentiality, such opacity poses a risk in itself. The user can’t provide informed consent, the company can’t properly verify the provider, and telemetry streams and hidden identifiers can easily be transformed into user profiles.
Then there are the permissions the app requests from the system . In the Android and iOS ecosystems, there are requests that are completely unnecessary for the intended purpose of a VPN. On Android, for example, these are AUTHENTICATE_ACCOUNTS, which allows account and token management, and READ_LOGS, which allows reading system logs. The former opens the door to identity theft, while the latter turns the app into a spy with access to user actions and the activity of other apps. On iOS, there are requests for constant access to geolocation and the local network. The former provides a complete history of movements, while the latter allows silent scanning of home and office devices and searches for attack targets. Developers explain these permissions by citing automatic node selection or network security checks, but for a VPN, these are excessive and dangerous features.
Another alarming finding concerns private permissions in iOS. Over six percent of apps, thirty in total, requested permissions that grant deep access to system functions. Such a request is a red flag. Even if the platform doesn’t grant them, the mere attempt to do so indicates an intention to go beyond public APIs. These permissions can make system calls, retrieve sensitive data from memory, and escalate privileges.
The conclusion is simple and unpleasant.
Not all VPNs are equally useful, especially free ones . For home users, this poses a privacy risk, while for businesses using both proprietary and personal devices in the same environment, it also poses a business risk.
Redazione