We looked at 283 Android VPN apps and discovered the very reason users install these apps – to protect their data – is the very function they are not performing.
Hooded person holding a red card

Hooded person holding a red card with digital

Virtual Private Networks aren’t as private as the name suggests.

Have you ever been spied on? Or worse, maybe you have and don’t even know it.

Whether it’s the Peeping Tom lurking in the bushes or Big Brother monitoring our every move, the thought of being followed makes us uncomfortable (and a tad paranoid).

Privacy is important to us – both our physical and virtual privacy that is. Our online identities are extremely valuable, however, our ability to control who sees what is limited.

With more personal information being collected than ever before, people are seeking to secure and anonymise their data.

You may have heard of this thing called a VPN – Virtual Private Network? No doubt you won’t need much schooling on what a VPN is if you are: a) a regular torrent user or b) a sports enthusiast trying to watch the latest game behind a region-restricted pay wall.

But now that mobile phones are essentially mobile computers, millions of users worldwide are turning to mobile VPN apps to hide their browsing activity, access region-restricted content and ensure their data is secure when using public Wi-Fi networks.

We recently published a report with the University of New South Wales and the University of Berkeley has revealed that these apps are not as secure as they make out to be.

The first analysis of its kind, the report looked at 283 Android VPN apps, investigating a wide range of security and privacy features.VPN facts from the study

Alarmingly, the report uncovered that not only did 18 per cent of the apps fail to encrypt users’ traffic but 38 per cent injected malware or malvertising – software designed to damage or gain access to the users’ information. The very reason users install these apps – to protect their data – is the very function they are not performing and these apps have been installed by tens of millions of users.

And what’s more, the report found that over 80 per cent of apps requested to access sensitive data such as user accounts and text messages.

While most of the examined apps offer (some form of) online anonymity, some app developers deliberately sought to collect personal user information that could then be sold on to external partners.

Ironically, the report found that less than 1 percent of users had any security or privacy concerns about these apps.

Our Professor and Senior Principal Researcher in Online Privacy and Security, Dali Kaafar explained that the findings of the study were shared with developers whose apps displayed security shortcomings.

“Several of them [app developers] took actions to fix the identified vulnerabilities.  Some apps were even removed from the Google Play Store,” said Mr Kaafar.

Mr Kaafar encourages users to shop around, compare functionality and read app reviews before signing up to a particular VPN app to avoid falling for the illusion of privacy that some of these apps offer.

“Always pay attention to the permissions requested by apps that you download. This study shows that VPN app users, in particular, should take the time to learn about how serious the issues with these apps are and the significant risks they are taking using these services.”

Read the full report here.



  1. Pingback: Tinker, Torrentor, Streamer, Spy: VPN privacy alert – CSIRO blog | ExtendTree

  2. You can create on demand OpenVPN Endpoints on AWS if you trust amazon https://github.com/ttlequals0/autovpn

  3. I too would very much like to see the posting of the raw data

  4. Pingback: Tinker, Torrentor, Streamer, Spy: VPN privacy alert - CSIRO blog

  5. Is the raw data available? Surely I’m not the only one who’d like to look at how your research assessed my favorite VPN client.

    1. Came here to ask the same thing. Would be great if the data was on a Web page so we could see the performance of individual apps.

    2. Indeed. The ten worst apps are named and shamed, but not the best. A list of the AV rankings for all 283 would be helpful.

    3. I would love to see the data as well.

    4. I 100% agree the raw data should be published.

    5. Seconded – I’d really like to see the score for my chosen app!

    6. Hi Akraut,

      Our research focuses on outlining the security and privacy issues that users should be aware of when using android VPN apps. Our findings are the result of a particular set of tests, on particular number of apps, at a particular point in time. To ensure the context in which these apps were assessed is considered when reviewing a specific app, we encourage readers to review our report via the link available on the blog. We are unable to disclose the raw data.

      CSIRO Social Media

Commenting on this post has been disabled.