A large-scale study of free virtual private network (VPN) apps has uncovered serious privacy and security risks that affect both consumers and enterprises.
The analysis, conducted by Zimperium zLabs, reviewed 800 VPN applications available for Android and iOS and found that many failed to deliver the protection users expect.
Major Security and Privacy Weaknesses
The report, A Deeper Dive: Unpacking the VPN Threat Landscape, showed that free VPN apps often expose users to more danger than they prevent.
Among the issues discovered were outdated libraries, weak encryption practices, misleading privacy disclosures and dangerous permission requests that extend far beyond what a VPN should need.
Researchers highlighted several troubling findings:
-
Some apps continue to use vulnerable libraries such as outdated versions of OpenSSL, including those still susceptible to the infamous Heartbleed bug
-
Roughly 1% of apps allowed Man-in-the-Middle (MitM) attacks, which can let attackers intercept and decrypt traffic
-
About 25% of iOS apps failed to provide a valid privacy manifest, a core requirement under Apple’s rules
-
Many apps requested excessive permissions, including access to microphones, location data or system logs
Read more on mobile security risks: 92% of Mobile Apps Found to Use Insecure Cryptographic Methods
BYOD and Remote Work Increase the Stakes
The study also warned that organizations with bring-your-own-device (BYOD) policies are especially vulnerable. Even widely downloaded VPN apps can become weak links in enterprise defenses, potentially exposing sensitive corporate data.
“As more employees work remotely from home offices or while traveling, they’re not only using personal phones, they’re also using personal laptops as well, often over unsecured networks,” David Matalon, CEO at Venn, said.
“The traditional perimeter is gone, and the bring-your-own-device (BYOD) reality for remote workers requires a shift in strategy: from securing the device to securing the work itself.”
Matalon added, “VPNs continue to play a vital role in securing and anonymizing network connections, however, they can provide a false sense of security and user privacy."
He stressed that consumer-grade VPN apps and browser extensions often lack audits, leaving users vulnerable to weak encryption and companies at risk of data loss.
A Shift to Stronger Security Models
On iOS, more than 6% of apps were found requesting private entitlements – permissions that could allow deep access to the operating system.
Although it is unclear if these requests were granted, the findings suggest poor adherence to Apple’s security guidelines.
“Organizations need a multi-layered response,” said Brandon Tarbet, director of IT & security at Menlo Security.
“Endpoint visibility and management is table stakes […] what is rapidly becoming a requirement is the need for web content-level data security.”
James Maude, field CTO at BeyondTrust, pointed out that “VPN technologies have long presented security challenges to organizations in an age of identity attacks and compromises.”
He emphasized that zero-trust approaches are vital, as compromised VPN access can expand an attacker’s reach across the network.
Vishrut Iyengar, senior solutions manager at Black Duck, added that mobile devices are now a prime target.
“Today, we are facing a concerning reality that many enterprise mobile apps still lack basic protections such as code obfuscation, secure storage and updated third-party libraries,” he explained.
Ultimately, the study concludes that many free VPNs provide little real security. Instead, they can serve as vehicles for surveillance, credential theft and even full device compromise.