This article is more than 1 year old

Using a free VPN? Why not skip the middleman and just send your data to President Xi?

Majority of sketchy apps can be traced to China, study finds

Many popular free VPN apps are sketchy Chinese operations with dubious privacy policies, according to research.

Metric Labs' Top10VPN conducted a rare investigation into the ownership structure and responsiveness of top VPN providers who distributed their services on iOS and through Google's Play Store. 86 per cent are deemed to have substandard security policies that failed to disclose how the data was used. And 59 per cent are either Chinese-backed, or actually based in the People's Republic of China.

"It was often very challenging to verify who was actually behind these VPN apps, due to the great lengths companies went to in order to hide their ultimate ownership, and far beyond the means of the typical consumer to discover," concluded head of research Simon Migliano, who collated the data.

VPNs act kinda like a bridge: netizens' network traffic is routed through the VPN provider so that for all intents and purposes, each user appears on the internet at the location of the VPN's gateway. So, someone in the USA can use a VPN in the UK to appear as though they are using the web from Blighty. This obscures the true public IP address of the user. Also, connections to and from the user and the VPN are typically encrypted so if you're worried about your hotel or airport Wi-Fi being spied on, the VPN tunnel will mask it.

However, this means you place an enormous amount of trust in your VPN provider, which becomes effectively a second ISP. By carrying your network traffic, the VPN biz can potentially snoop on and tamper with your web browsing and internet activities. Websites and other online services that use HTTPS, or similar encryption, with mitigations to prevent man-in-the-middle eavesdropping can evade snooping VPNs.

Why you shouldn't trust a stranger's VPN: Plenty leak your IP addresses


Anything in plain-text or non-HTTPS is absolutely fair game. In any case, the VPN provider can see which websites you're attempting to connect to by looking at clear-text DNS look-ups and destination IP addresses. Ads and dodgy downloads can be injected into unsecured web pages, and any personal data siphoned off can be sold – these free apps have to make money somehow.

And yet despite the dangers, it's trivial to operate a server and post a wrapper to one of the two popular app Stores.

The VPNs Migliano studied were traced to China, Israel and Ukraine. One singled-out operator distributes the SnapVPN and Turbo VPN apps with over 10 million downloads.

VPNs are especially useful in China as tools to evade censorship and the Great Firewall, which is probably why a large number of providers can be traced back to the Middle Kingdom. VPN providers in China must be registered with the government, though, so read into that what you will.

"It is disturbing that so few of these companies even had a website while those that did avoided revealing any information about themselves and yet were able to gain credibility by virtue of being approved by Apple and Google for listing in their app stores," Migliano said.

He found that half (52 per cent) of customer support emails were personal accounts, such as Gmail or Yahoo addresses. Over eight in 10 (83 per cent) app customer support requests for assistance were ignored.

He called Apple and Google's failure to curate the apps "a dereliction of duty." ®


For what it's worth, we recommend setting one up yourself using OpenVPN, Algo, or Outline, for example, if you know what you're doing. Just don't bother with any of the free VPN services: there ain't no such thing as a free lunch. It's better to route your traffic through a machine you operate and trust.

More about

More about

More about


Send us news

Other stories you might like