VPNs offer a model of privacy where the user agrees to trust the VPN provider with their internet usage data in return for possibly gaining privacy from their ISP and/or a government.
VPNs are not a magic bullet though and you are still trusting the VPN provider not to store logs on you and not to grant information access to any third party.
Turns out that many of the free VPN providers out there are not your friend.
New research from ICFP Fellow Benjamin Mixon-Baca finds that eight providers of popular, commercial VPN applications appear to hide the ownership and operations of their services, and contain serious privacy and security issues that put more than 700 million users at risk of authoritarian surveillance. Three of these providers are linked to the PLA and there is evidence that a Chinese national owns all eight.
to uncover who owns, operates, and develops 32 popular VPNs on the Google Play Store (with more than one billion downloads, collectively). These VPN apps are distributed by 21 seemingly distinct VPN providers and serve users in India, Indonesia, Russia, Pakistan, Saudi Arabia, Turkey, UAE, Bangladesh, Egypt, Algeria, Singapore, and Brazil.
Hard-coded passwords in their configuration that are shared across all users: The password is embedded within the source code, instead of stored securely elsewhere and retrieved at runtime. The fact that the password credentials are in the app code itself, makes them easily accessible to anyone who can view the code. An attacker who knows the password can decrypt the VPN’s encryption for all users, exposing the content they are accessing. This significantly compromises user security and privacy.
Susceptibility to blind-in/on-path client/server-side attacks (client side confirmed, server side implied): An attacker can intercept and even modify communication without the knowledge of the user, a serious violation of their privacy and security.
using products such as TurboVPN, VPN Proxy Master and Snap VPN (supplied by the first cluster of providers), presents far more risk to user security and privacy than using a paid VPN app. This is because free commercial VPNs tend to capitalize on their users’ data, potentially using ethically questionable practices in their development, marketing, and operations.
I have no doubt that the free VPN providers are tracking their users and providing that access to people who want it or who are willing to pay for it. But this research does make me wonder who is actually behind the popular paid VPNs.