Hundreds of free VPNs offer 'no real privacy at all,' researchers warn - does yours?

CROCOTHERY/iStock/Getty Impages Plus Follow ZDNET: Add us as a preferred source on Google. ZDNET's key takeaways An analysis of 800 free VPNs reveals serious security issues. Dangerous behaviors were also found, including strange permission requests. These findings remind us why choosing a reputable free VPN provider is crucial. New research has revealed serious flaws in approximately 800 free VPNs that could compromise your device, security, and privacy. VPNs are crucial security tools that provide users with a layer of encryption and IP masking to keep data secure and to mitigate the risk of users being monitored online. However, VPN users place a lot of trust in these services -- and if the provider does not maintain strong security practices, it negates the point of using a VPN in the first place. Also: Best VPN services in 2025 There are only a few free VPNs around that seem to care about the security of their users and do not employ shady data collection practices or conduct malicious activities -- and this appears to now have backing from zLabs' latest research. Zimperium zLabs researchers published the results of a study that examined the security of roughly 800 free Virtual Private Network (VPN) services available in the Android and iOS ecosystems -- and the results are less than comforting. According to the team, many free VPN apps provide "no real privacy at all." Risky behaviors zLabs researchers separated the security issues they uncovered into five categories. In total, 65.13% of the apps demonstrated issues in the first category, risky behaviours and APIs, which included some VPNs possessing the ability to take covert snapshots of user interfaces and insecure activity launches, which could lead to the app being forced into an insecure state, user input injections and capture, and data exposure. Additionally, weaknesses were identified in exported content provider systems that could also lead to data theft and privilege escalation. Problematic permissions The researchers' second category relates to permissions and the trend of "requesting permissions that extend far beyond an application's core functionality." In total, close to 41% of the apps examined by the team requested problematic permissions, including the right to act as an Android account authenticator, alongside requests to always be able to access a device's location -- even when the VPN was inactive. Furthermore, some VPN apps requested "read-logs" permission, which could expose a vast amount of data about the user, including user actions, system events, and app activities. Also: How to remove yourself from Whitepages in 5 quick steps - and why you should "A normal, legitimate application has no justifiable need to read system-wide logs. Its presence should be considered a strong indicator of malicious intent," the study reads. On iOS, 30 VPN apps also requested private entitlements, which is likely far out of scope for a VPN service. This permission could allow the app to access private APIs, steal data, and potentially execute code on a vulnerable device. Unpatched libraries Problematic libraries, which could lead to some of the most severe security problems, were also found in a small number of cases. Outdated, third-party libraries that have not been patched against known vulnerabilities not only show a lack of patch maintenance but could also provide a direct pathway to user devices for threat actors. For example, three apps were discovered that utilize an outdated OpenSSL library, leaving them vulnerable to the 2014 Heartbleed vulnerability, an open-source remote exploit that affected millions of websites. Other issues Communication channel security flaws were also uncovered. In total, 1% of the apps studied demonstrated a weakness to Man-in-the-Middle (MitM) attacks, which completely negates the point of a VPN using encryption to create a safe online communication tunnel. Also: Phishing training doesn't stop your employees from clicking scam links - here's why zLabs also found on iOS that misleading or missing labels were a consistent problem in free VPN services. Despite being imposed by Apple to ensure developers can justify requests for access to APIs, the team's analysis found "widespread discrepancies and non-compliance," and in 25% of cases where mislabeling was found, the apps "failed to include a valid privacy manifest at all." The Zimperium zLabs study builds upon a recent academic study that suggested hidden ties between free VPN services, with various tactics implemented to conceal the connections between supposedly independent services. In this research, academics also identified security issues such as hard-coded credentials and weak encryption protocols. Which free VPNs are safe? ZDNET extensively tests VPNs to help readers make informed choices. For a list of free VPNs that ZDNET recommends, check out our roundup of the best free VPNs.