Forbes contributors publish independent expert analyses and insights.
Here we go again. A new warning for iPhone and Android users installing a specific type of free app on their smartphones, a "significant number" of which "exhibit dangerous behaviors." Downloads of these apps are now surging, putting millions at risk.
We're taking VPNs, virtual private networks that supposedly secure data transmitted between your device and the websites and platforms you use. This works by routing all that traffic via third-party servers, which also masks your location and device.
This new warning comes from Zimperium. "VPNs are trusted by millions to protect privacy, secure communications, and enable remote access on their mobile device. But what if the very apps designed to safeguard your data are riddled with flaws?"
The warning is just the latest of many issued in the wake of VPN use surging, driven by porn bans and restrictions, public WiFi security advisories, even TikTok's mini-ban. VPNs are a critical security tool -- but if you don't use a rock solid, bluchip platform then it's more dangerous than using nothing at all. And that means a paid app.
Zimperium's zLabs team conducted "a broad-scale security and privacy analysis of 800 free VPN apps for both Android and iOS reveals the threat is far more widespread."
Findings included:
Zimperium focuses on enterprise more than consumer risk. Here again threats are rising. "These mobile VPN apps, even popular ones, can become the weakest link in an organization's security posture, exposing sensitive business data to unnecessary risk."
Free VPNs are often complied from software libraries and components, "This practice exposes users to risks that have been understood and patched for years, indicating a significant lack of security maintenance on the part of the app developers."
But the comms channel itself is an even bigger risk -- that's the entire point of a VPN. "Weaknesses or a lack of robust security in this channel can lead to interception, identity spoofing, and the exposure of users to severe network-based threats."
And then there are hygiene factors -- mislabelling data harvesting practices, a huge no-no when it comes to VPNs which should collect and store nothing. That's part of wider permission abuse issues which continues to plague iPhone and especially Android.
The U.S. government warns users that "personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider, often increasing the attack surface." And where that VPN is insecure, those dangers are much more serious.
Kaspersky has reported a staggering increase in the number of free VPNs available on app stores. These dominate the download charts, and users who are new to VPNs are almost certain to opt for a popular free option rather than a monthly fee. Don't.
"Users tend to believe that if they find a VPN app in an official store it is safe," Kaspersky says, "and they think it is even better if this VPN service is free! However, this often ends up being a trap."