Many free mobile VPN apps are based in China or have Chinese ownership

Chinese affiliation raises a sign of alarm in light of China's recent clampdown of "unauthorized" VPN services.

Roughly 60 percent of the top free mobile VPN apps returned by Google Play Store and Apple Play Store searches are from developers based in China or with Chinese ownership, raising serious concerns about data privacy, a study published today has revealed.

"Our investigation uncovered that over half of the top free VPN apps either had Chinese ownership or were actually based in China, which has aggressively clamped down on VPN services over the past year and maintains an iron grip on the internet within its borders," said Simon Migliano, Head of Research at Metric Labs, a company that runs the Top10VPN portal.

ZDNet: Black Friday 2018 deals: Business Bargain Hunter's top picks | Cyber Monday 2018 deals: Business Bargain Hunter's top picks

The researcher says he analyzed the top 20 free VPN apps that appear in searches for VPN apps on the Google and Apple mobile app stores, for both the US and UK locales.

He says that 17 of the 30 apps he analyzed (10 apps appeared on both stores) had formal links to China, either being a legally registered Chinese entity or by having Chinese ownership, based on business registration and shareholder information Migliano shared with ZDNet.

chinese-vpn-apps.png

"Furthermore, we found the majority of free VPN apps had little-to-no formal privacy protections and non-existent user support," Migliano said.

The expert says that 86 percent of the apps he analyzed had "unacceptable privacy policies." For example, some apps didn't say if they logged traffic, some apps appeared to use generic privacy policies that didn't even mention the term VPN, while some apps didn't feature a privacy policy at all. On top of this, other apps admitted in their policies to sharing data with third-parties, tracking users, and sending and sharing data with Chinese third-parties.

Almost half of the free VPN apps also appeared to take the privacy policy as a joke, with some hosting the policy as a plain text file on Pastebin, AWS servers, or raw IP addresses, with no domain name.

In addition, 64 percent of the apps also didn't bother setting up a dedicated website for their VPN service, operating strictly from the Play Store.

The results of this study should worry VPN users, from both a privacy standpoint, but also from a technical and professional point of view.

The study's results are also worrisome especially for businesses that use these apps internally or have employees who use the apps without prior approval.

Data exchanged via these VPNs, some of which may be company trade secrets, may end up being logged, and in the worst case scenario logged on Chinese servers, where it may be at the disposal of Chinese authorities, which have a long and well-documented history of hacking, favoring, and helping local businesses at the expense of foreign competitors.

In addition, China has also enacted strict regulation in the past two years that has clamped down on VPN services and has forced local VPN providers to register with state authorities in order to obtain a license to operate in the country.

This regulation has resulted in several arrests, and some VPN operators being sentenced to heavy prison sentences.

Due to its lack of legal boundaries and heavy-handed authoritarian mode of operation, the Chinese state has now a firm grasp on any VPN providers located inside its borders.

According to Migliano, users and companies should rethink their approach of using some of the above-listed apps, on both the grounds of the operator being under the possible influence of the Chinese authoritarian regime, but also due to some of these VPN provider's poor to privacy policies, a sign that they don't really value customer privacy as well.

Migliano's report, available here, lists all the problems he discovered with each of the 30 VPN apps in finer detail.

More security news:

Best Black Friday 2018 deals: