Your free VPN on Android often offers less protection than you might think

A VPN is supposed to route your data traffic through an encrypted tunnel so that neither your internet service provider nor anyone eavesdropping on the Wi-Fi network can see what you’re doing. The catch is that, from that point on, the VPN app itself can see everything. You’re simply shifting your trust from your internet service provider to the company that built the app. A new study shows that many free providers don’t deserve that trust.
Researchers from the University of Michigan, the University of New Mexico, and IIT Delhi tested 281 free VPN apps from the Google Play Store on Android 14 devices. They presented the results using their testing framework, MVPNalyzer, at the NDSS security conference; the University of Michigan published the study in July. The apps tested that had at least one issue collectively account for over 2.4 billion installations.
Five apps can be hijacked over Wi-Fi
The most dangerous finding concerns five apps that load their configuration file unencrypted. This file specifies which server the app connects to. If it travels across the network in plain text, an attacker on the same Wi-Fi network, such as the operator of a public hotspot, can alter it en route and redirect the connection to their own server. The user sees the familiar “Connected” screen but is still routing all traffic through the attacker. The researchers replicated and confirmed this attack on their own devices. Of the five reported providers, two responded and promised to switch to HTTPS; three did not respond.
Leaks and trackers, despite promises to the contrary
29 apps allowed data traffic to leak out of the tunnel. 24 of these exposed DNS queries, thereby revealing the visited websites to the local network; these apps alone account for around 360 million installations. Six leaked all traffic, and four operated tunnels without any encryption at all.
Tracking is particularly troubling, since many people install a VPN specifically to prevent it. 76 apps transmitted the device’s advertising ID, which advertisers use to track a person across different apps. More than 80 percent, specifically 246 apps, contacted known advertising and tracking servers and sent details such as model, operating system version, and screen size. Individually harmless, together they form a fingerprint that uniquely identifies a device. One app even sent the exact GPS coordinates. The case of PromptSnatcher recently demonstrated how easily disguised software can secretly eavesdrop.
Outdated encryption under the hood
The researchers also analyzed the OpenVPN configuration files of 108 apps. Only a single one met all the security requirements tested. About 89 percent relied on only one authentication method instead of combining a password and a certificate. Nearly one in five used weak or outdated encryption, including the old Blowfish and Triple DES algorithms, which are known to have vulnerabilities. Some completely disabled encryption within the tunnel. The common thread is simple: the apps receive little maintenance, and the Play Store’s automated checks let them slip through. According to the study, the “Verified” badge for VPN apps serves more as a marketing ploy than as a genuine security guarantee.
Not an isolated case
Other investigations point in the same direction. In August 2025, Citizen Lab and Arizona State University found several popular Android VPN apps, with a combined total of over 700 million downloads, that were secretly connected to one another, shared hard-coded passwords, and collected location data. In October 2025, the security firm Zimperium reported that three of approximately 800 free VPNs tested were still running a version of OpenSSL vulnerable to Heartbleed, a vulnerability that had already been patched in 2014.
What you can do yourself
The most serious flaws, unencrypted configuration and weak tunnel settings, are not visible from the outside. That is precisely the problem. The best defense, therefore, isn’t the advertised protocol, but rather the question of who is behind the app. Give preference to providers that publish a recent, independent security audit. Be cautious of free apps that bombard you with ads. And treat claims like “verified” or “no logs” as a starting point, not as proof. If you’re looking for the complete list of apps of concern, you’ll find it in the appendix to the study.





