New research from ICFP Fellow Benjamin Mixon-Baca finds that eight providers of popular, commercial VPN applications appear to hide the ownership and operations of their services, and contain serious privacy and security issues that put more than 700 million users at risk of authoritarian surveillance. Three of these providers are linked to the PLA and there is evidence that a Chinese national owns all eight.

to uncover who owns, operates, and develops 32 popular VPNs on the Google Play Store (with more than one billion downloads, collectively). These VPN apps are distributed by 21 seemingly distinct VPN providers and serve users in India, Indonesia, Russia, Pakistan, Saudi Arabia, Turkey, UAE, Bangladesh, Egypt, Algeria, Singapore, and Brazil.

Hard-coded passwords in their configuration that are shared across all users: The password is embedded within the source code, instead of stored securely elsewhere and retrieved at runtime. The fact that the password credentials are in the app code itself, makes them easily accessible to anyone who can view the code. An attacker who knows the password can decrypt the VPN’s encryption for all users, exposing the content they are accessing. This significantly compromises user security and privacy.

Susceptibility to blind-in/on-path client/server-side attacks (client side confirmed, server side implied): An attacker can intercept and even modify communication without the knowledge of the user, a serious violation of their privacy and security.

using products such as TurboVPN, VPN Proxy Master and Snap VPN (supplied by the first cluster of providers), presents far more risk to user security and privacy than using a paid VPN app. This is because free commercial VPNs tend to capitalize on their users’ data, potentially using ethically questionable practices in their development, marketing, and operations.

Clearly, VPNs are a honeypot.