Notebookcheck Logo

Your free VPN on Android often offers less protection than you might think

A hand is holding a smartphone with the VPN app open
ⓘ Stefan Coders / Pexels
Many free VPNs leak data or track their users.
A study examined 281 free VPN apps from the Google Play Store, which collectively have over 2.4 billion installations. Many of them leak data, track their users, or use outdated encryption. Five of them can even be hijacked over Wi-Fi. Here's how to spot a trustworthy app.

A VPN is supposed to route your data traffic through an encrypted tunnel so that neither your internet service provider nor anyone eavesdropping on the Wi-Fi network can see what you’re doing. The catch is that, from that point on, the VPN app itself can see everything. You’re simply shifting your trust from your internet service provider to the company that built the app. A new study shows that many free providers don’t deserve that trust.

Researchers from the University of Michigan, the University of New Mexico, and IIT Delhi tested 281 free VPN apps from the Google Play Store on Android 14 devices. They presented the results using their testing framework, MVPNalyzer, at the NDSS security conference; the University of Michigan published the study in July. The apps tested that had at least one issue collectively account for over 2.4 billion installations.

Five apps can be hijacked over Wi-Fi

The most dangerous finding concerns five apps that load their configuration file unencrypted. This file specifies which server the app connects to. If it travels across the network in plain text, an attacker on the same Wi-Fi network, such as the operator of a public hotspot, can alter it en route and redirect the connection to their own server. The user sees the familiar “Connected” screen but is still routing all traffic through the attacker. The researchers replicated and confirmed this attack on their own devices. Of the five reported providers, two responded and promised to switch to HTTPS; three did not respond.

Leaks and trackers, despite promises to the contrary

29 apps allowed data traffic to leak out of the tunnel. 24 of these exposed DNS queries, thereby revealing the visited websites to the local network; these apps alone account for around 360 million installations. Six leaked all traffic, and four operated tunnels without any encryption at all.

Tracking is particularly troubling, since many people install a VPN specifically to prevent it. 76 apps transmitted the device’s advertising ID, which advertisers use to track a person across different apps. More than 80 percent, specifically 246 apps, contacted known advertising and tracking servers and sent details such as model, operating system version, and screen size. Individually harmless, together they form a fingerprint that uniquely identifies a device. One app even sent the exact GPS coordinates. The case of PromptSnatcher recently demonstrated how easily disguised software can secretly eavesdrop.

Outdated encryption under the hood

The researchers also analyzed the OpenVPN configuration files of 108 apps. Only a single one met all the security requirements tested. About 89 percent relied on only one authentication method instead of combining a password and a certificate. Nearly one in five used weak or outdated encryption, including the old Blowfish and Triple DES algorithms, which are known to have vulnerabilities. Some completely disabled encryption within the tunnel. The common thread is simple: the apps receive little maintenance, and the Play Store’s automated checks let them slip through. According to the study, the “Verified” badge for VPN apps serves more as a marketing ploy than as a genuine security guarantee.

Not an isolated case

Other investigations point in the same direction. In August 2025, Citizen Lab and Arizona State University found several popular Android VPN apps, with a combined total of over 700 million downloads, that were secretly connected to one another, shared hard-coded passwords, and collected location data. In October 2025, the security firm Zimperium reported that three of approximately 800 free VPNs tested were still running a version of OpenSSL vulnerable to Heartbleed, a vulnerability that had already been patched in 2014.

What you can do yourself

The most serious flaws, unencrypted configuration and weak tunnel settings, are not visible from the outside. That is precisely the problem. The best defense, therefore, isn’t the advertised protocol, but rather the question of who is behind the app. Give preference to providers that publish a recent, independent security audit. Be cautious of free apps that bombard you with ads. And treat claims like “verified” or “no logs” as a starting point, not as proof. If you’re looking for the complete list of apps of concern, you’ll find it in the appendix to the study.

Google LogoAdd as a preferred source on Google
Mail Logo

No comments for this article

Got questions or something to add to our article? Even without registering you can post in the comments!
No comments for this article / reply

static version load dynamic
Loading Comments
Comment on this article
> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2026 07 > Your free VPN on Android often offers less protection than you might think
Steffen Zahn, 2026-07-12 (Update: 2026-07-12)