Recent research highlights potential privacy risks associated with using Virtual Private Networks (VPNs), even those that require a subscription fee. While VPNs are commonly regarded as effective tools for enhancing privacy and cybersecurity, a study conducted by Top10VPN reveals concerning issues with popular paid VPN apps available on Android.
The study assessed 30 leading paid VPN applications, including well-known services such as NordVPN, ExpressVPN, Proton VPN, and Surfshark. Alarmingly, over half of these applications exhibited data leakage problems in various forms. Additionally, three specific apps were found to compromise user privacy by sharing personal information in potentially dangerous ways.
One key finding indicated that certain applications did not encrypt Server Name Indication (SNI) for all server connections, which can expose information about users’ browsing behavior. This poses a significant risk for individuals residing in countries with stringent internet restrictions or those operating within limited network environments.
Moreover, several applications, including HMA!, Private VPN, Mozilla VPN, Privado, VyprVPN, X-VPN, and Avira Phantom, were identified as leaking DNS requests. While this type of leak is not considered critical, it underscores deficiencies in VPN configurations that can impact user privacy.
Particularly concerning is the FastestVPN service, which was flagged as unacceptably insecure due to its practice of revealing user email addresses in plain text within server request headers.
The study further discovered that seven VPN applications contain embedded tracking codes linked to advertisers and data brokers, raising additional privacy concerns. Specifically, VPN Unlimited and Hotspot Shield were noted for sharing user data, while X-VPN was criticized for its inadequate data-sharing practices.
Although VPN encryption is typically effective, there are still seven applications that do not utilize the latest version of Transport Layer Security (TLS) for establishing VPN tunnels. Notably, Avira Phantom employs the outdated SSLv2 protocol, which is deemed insecure.
In light of these findings, Top10VPN expert Simon Migliano advises users to exercise caution when selecting a VPN application, even if it is a paid service. He stresses the importance of thoroughly reviewing a provider’s privacy policy and data protection practices prior to usage. Users are also encouraged to keep their VPN applications updated and to consider using additional security tools to enhance their overall cybersecurity.
