384/68 Monday, October 6, 2025
A new study by Zimperium zLabs revealed alarming findings for millions of users who rely on free Virtual Private Network (VPN) apps on iOS and Android to protect their online privacy. The analysis of nearly 800 free apps found that many not only fail to safeguard users but also expose critical data to serious security and privacy risks. Technical vulnerabilities were uncovered, such as the use of outdated and insecure software, including the presence of the infamous Heartbleed bug (CVE-2014-0160) in some apps. This flaw allows remote attackers to read sensitive information such as secret keys, usernames, and passwords. In addition, around 1% of the apps were found to be susceptible to Man-in-the-Middle (MitM) attacks, enabling attackers to intercept and read all user traffic.
Another major concern identified was Permission Abuse. For instance, some iOS VPN apps request continuous location access (LOCATION_ALWAYS), which is unrelated to the core purpose of VPN services. Similarly, certain Android apps ask for permission to read complete system logs, potentially allowing them to build detailed behavioral profiles of users—essentially functioning as advanced keyloggers. These practices indicate that such apps could act as surveillance tools beyond their intended functions, raising serious concerns about user privacy. Alarmingly, 25% of iOS VPN apps were found lacking proper Privacy Manifest declarations, further highlighting transparency issues.
For organizations adopting Bring-Your-Own-Device (BYOD) policies, insecure VPN apps could become the weakest link, exposing sensitive business data to unnecessary risks. Experts emphasize that both enterprises and individuals must recognize the real dangers of free mobile VPNs-what appears to be a privacy shield may, in fact, be the greatest threat to one’s data. Security specialists recommend organizations implement multi-layered response strategies, including endpoint visibility and management, and shift away from perimeter-based security models toward content-level data security. This ensures that connections to websites and services remain trustworthy, even when traditional visibility is compromised.
Source https://hackread.com/studyfree-ios-android-vpn-apps-leak-data/
