A team of researchers from the University of Berkeley, University of new South Wales and Commonwealth Scientific and Industrial Research Organization (CSIRO) analyzed 283 Android VPNs and discovered that the majority don't do a very good job of protecting users' privacy and aren't very secure either. VPN users expect that their communications are secured. However, the researchers revealed that Android users are using apps that lack encryption, track user activity, infected with malware, manipulate HTTP traffic and intercept TLS traffic. Ars technia has a good summary of the results.
- 18 percent didn't encrypt traffic at all, a failure that left users wide open to man-in-the-middle attacks when connected to Wi-Fi hotspots or other types of unsecured networks
- 84 percent leaked traffic based on the next-generation IPv6 internet protocol, and 66 percent don't stop the spilling of domain name system-related data, again leaving that data vulnerable to monitoring or manipulation
- Of the 67 percent of VPN products that specifically listed enhanced privacy as a benefit, 75 percent of them used third-party tracking libraries to monitor users' online activities. 82 percent required user permissions to sensitive resources such as user accounts and text messages
- 38 percent contained code that was classified as malicious by VirusTotal, a Google-owned service that aggregates the scanning capabilities of more than 100 antivirus tools
- Four of the apps installed digital certificates that caused the apps to intercept and decrypt transport layer security traffic sent between the phones and encrypted websites
The study doesn't paint a very good picture for Android VPN providers. Users should only install VPN apps from Google Play and read app reviews before downloading. One highly rated VPN app is F-Secure Freedome VPN, which blocks all traffic from a pre-defined list of Web and mobile-tracking domains, including Google Ads, DoubleClick, Google Tag, and comScore.