Publication TOP10VPN, engaged in the review and verification of VPN services, testing 100 of the most popular Free VPN applications for the ANDROID platform with over 2.5 billion installations (the checks were conducted on the first 100 free VPN applications with the largest number of downloads from the Google Play catalog). The main conclusions are as follows:
- 88 out of the tested programs have certain problems that could lead to information leaks. In 83 of these applications, the leaks were caused by connecting to third-party DNS servers (not the VPN provider’s servers). For example, in 40 cases, DNS Google was used, and in 14 cases, Cloudflare was used. Additionally, 79 applications had leaks that allowed traffic to bypass the VPN. In 17 applications, multiple types of leaks were identified simultaneously (disclosure of the user’s IPV4 and IPV6 source by sites, leaks via DNS, and WebRTC).
- 11 applications were found to be using outdated pseudo-random number generators. One application did not use traffic encryption at all. Additionally, 35 applications used outdated cryptographic algorithms (only 20 programs used reliable hashing methods). Furthermore, 23 applications allowed the use of old versions of TLS (TLSV1, TLSV2) when establishing a VPN tunnel to connect to external servers, while 6 applications used SSLV2.
/Reports, release notes, official announcements.