Is Your VPN Leaking Your Info?
Most internet savvy people today use a VPN (Virtual Private Network). Why? Because they protect your internet traffic from being spied on by outsiders. This could be a troublemaker on your local cafe’s WiFi, to shopping websites detecting where you live, to your internet service provider watching your internet traffic for pirating.
A VPN protects you from all of these things by encrypting your internet traffic before it leaves your device, acting as a middleman before forwarding your requests on to the websites you visit - hiding your personal IP address. To outsiders, your internet traffic will look like gibberish instead of looking like this:
With the rise in privacy awareness, it seems like everyone and their mom has a VPN service to offer you.
There are free VPNs with millions upon millions of users, but do they do what they promise?
Simon Migliano, from Top10VPN recently carried out an analysis for the top 100 Free VPN Apps on Android. He tested things like VPN encryption failure, VPN leaks, encryption weakness, and risky permissions - as well as proprietary code and software libraries.
You might be surprised to find that 90% of free VPN apps had a VPN leak, and 70% required privacy-risking permissions.
More than 70% of the VPNs were sharing unique identifiers with third parties such as Facebook, Bytedance, and Yandex.
There was even one app that completely leaked all internet traffic, now that’s a placebo.
Nothing in life is free, and if it is - you’re paying for it!
Thanks to Simon for conducting this analysis and releasing his findings to the world for free. We’ve attached a copy of his tests below, and you can read the full report on his website.
Biggest issues for VPNs?
Thanks to the Snowden leaks and investigative journalism, we know that intelligence agencies like the NSA work with telecommunications and internet providers to monitor internet traffic flowing through major “choke points”. We know this traffic is data-mined for keywords if it is unencrypted, and there’s a real possibility that encrypted traffic is being collected for future analysis.
For these reasons, VPNs must do many things correctly to keep your internet traffic private, and free VPNs have a lot of room for improvement.
VPN Leaks
A VPN leak occurs when VPN software fails to protect your IP address, which identifies you on the internet. IP Gelocation databases like MaxMind provide a location lookup services for your IP address, which is how sites automatically identify what country, state, or even city you’re visiting from.
There are two versions of IP addresses, IPv4 and IPv6 your device will typically have both and its more common for your IPv6 address to leak as your VPN network needs to support it.
A well thought out VPN will disable IPv6 traffic entirely so you don’t have an IPv6 address, otherwise websites will know your real location and your internet traffic would be directly connected to your device.
The study found that 15 free VPNs leaked the IPv6 address, and only 3 leaked both the IPv4 and IPv6 - which is like not using a VPN in the first place.
DNS Lookups
When you connect to any website, your device needs to know where the website is located on the internet. It does this by translating the domain name you typed into the URL bar into an IP address. It can’t do this on its own though, it needs the help of the DNS Servers (Domain Name System) which keep massive lists of domain names and their corresponding IPs.
A VPN should integrate with its own DNS servers so that your DNS requests are protected. If it doesn’t, then you’re leaking your DNS requests and anyone monitoring the network can see what websites you visit.
Free apps typically use DNS providers like Google and Cloudfare, opening you up to big tech surveillance. 83 of the VPN apps used a third party provider instead of running their own DNS server. 11 VPNs failed to properly encrypt these DNS requests, so anyone monitoring the network could see what websites you visit.
Encryption Strength
We mentioned how internet traffic captured by mass surveillance could be saved and decrypted later. Although classical computing would fail to brute force 128 bit encryption in any reasonable amount of time, quantum computers could greatly weaken existing encryption, effectively cutting the key length by half. Theoretically, it would still take quantum computers forever to crack AES-128, the shortest key length and therefore the weakest encryption. Still though, would you want to use the best when it comes to your encryption?
35 of the VPNs were using a 128 bit encryption, instead of a stronger key size. You could make an argument either way that 128 bit should be more than enough, but not ‘future-proof’ for quantum computers or new technologies we might find in the future.
Other Privacy Risks
Several of the apps exposed sensitive data, including the real IP address and location data from a locaiation lookup service. Other VPNs send telemetry like the phone model, OS - all unencrypted to the app developers.
Permissions
20 VPNs requested to track location
9 VPNs request your phone state
82 VPNs request ad tracking IDs
46 VPNs request permission to scan the other apps on your device
10 VPNs request permission to use your device’s camera
Proprietary Code
Its rare to find apps that are fully open-source on official app stores, and these free VPN apps were no exception. Over half had proprietary code, and 80 apps used third party proprietary code, typically used for analytics and advertising.
Fingerprinting & Third Party Trackers
Astonishingly 71 VPNs sent personal data to third party advertisers or data brokers. Most of these sent data to 1-3 third parties, while 12 VPNs shared with 4+ trackers. Many of these send the phone’s Google Advertising ID to third parties.
Many apps also fingerprinted the device, collecting information like device make and model, language, OS, screen size, Android fingerprint, battery, and free space. This information was packaged and sent out to other third party trackers such as Unity, Facebook, Yandex and other major data aggregators.
Almost half of the 100 VPNs contained at least 3 advertising SDKs, which are bundles of third party code typically meant to collect personal information that can be aggregated later to track you across the internet.
VPNs you may have heard of
We’ve pointed out a few popular free VPNs on this list as examples, although most VPNs had some problem or another.
Kapsersky: VPN & Antivirus (117.7M Installs)
Collects phone & network info, Google IPv6 leaks
ProtonVPN: (25M installs)
IPv6 leak on Chrome, Query all apps permisison, Google Tracking SDK, connections made to duckduckgo and google during scan
Windscribe VPN
Accesses your location, queries all apps, Amazon and Google Tracking SDKs
Solutions
Avoid free apps on popular apps stores like the plague, especially VPN apps. They need to make their money somehow, at the cost of your privacy. The data collection covered in this study is just one aspect - there’s no way to guarantee your internet traffic is not being collected, saved, and sold from the backend of the VPN service.
Checking for VPN Leaks
You can check if you are using a VPN properly by checking for leaks. There are many online tools for detecting leaks, and we recommend the following site which you can use to test VPN leaks on your computer or your phone:
This page will pull up all information about your connection. Note that any website on the internet could do the same with the right scripts.
Pay Attention To
IP Address Location: This is related to your IPv4 address. If this matches your actual location, you have a leak or you’re not using a VPN. If its pointing to the location of your VPN server - then its protected.
IPV6 Leak Test: This should either be ‘n/a’ to indicate your VPN server is blocking IPv6 traffic. If you’re seeing an IPv6 address here then your VPN is either leaking, or it supports IPv6 traffic. Although IPv6 geolocation is not widely available, it can be used to detect your location within a few kilometers.
DNS Leak Test: Press the button to activate a DNS leak test, which will display the DNS servers involved in lookup for the current site. If you are seeing DNS servers near your current location and not your VPN servers location, your device or VPN is misconfigured and leaking DNS requests. That means your computer is connecting directly to those DNS servers and your ISP will be able to track those, and the websites you visit can use it as a data point for your actual location.
These are the most important aspects when testing your VPN.
What happened when you tested your VPN? Any leaks? All good? Let us know in the comments!
Trustworthy VPN Services
With the free VPN services obviously failing to protect their users, we highly encourage you to opt for a paid VPN service. This way the VPN company is paid to serve you, instead of selling your data for revenue. We’ve tested out each of the VPNs on this list and ensured that they pass the leak tests we outlined.
Above VPN
Above VPN is an end-to-end encrypted open-source VPN service developed by Above, who also provide privacy phones and privacy laptops. Above VPN is a VPN service built on top of open-source software. Full disclosure, the #TakeBackOurTech team is affiliated with Above - Hakeem Anwar, the founder of #TakeBackOurTech is also the founder and CEO of Above.
Above VPN comes with Above Suite, a collection of private software services including email, calendar, encrypted chat, search engine, VPN, and video conferencing. All of this for $100/year.
Buy Above Suite here: https://abovephone.com/suite
Why use Above VPN?
Easy to setup on (Android) and desktop (macOS, Linux, Windows) - especially easy to use with Above Book and Above Phone
3 devices per subscription
Fast, light-weight and very secure - uses the modern Wireguard VPN protocol under the hood
No logging whatsoever, no personal data sent to third parties.
Private DNS resolvers, integrated into the VPN. No DNS leaks!
DNS Blocklists for trackers, advertisers, and malicious websites. You’ll notice less ads (no ads on Above devices)
3 locations in the United States
Pay privately using cryptocurrency
We’re expanding our VPN locations to other countries outside the U.S - which ones would you like to see?
Mullvad
Mullvad is one of the biggest VPN companies on earth, and although they are quickly approaching big tech status, they have pioneered the VPN experience we all know and enjoy today .
Why Mullvad?
5 Devices per subscription
No logging
Cross-platform apps for any device
No personal info needed
Many different locations around the world
DNS Servers & Blocklists
Anonymous payment options
iVPN
iVPN is the new kid on the block but professional VPN service with great policies and education.
Open source apps for any device
Anonymous payment options
Private DNS servers with blocklist options
Conclusion
We hope this has raised some light on how easy it is for internet based services to mis-represent themselves. It takes education and work from users to validate the services they use! Free services are a risk as they are likely making deals with your data.
Sources
https://www.top10vpn.com/research/free-vpn-investigations/android-vpn-security-flaws/
https://blog.maxmind.com/2020/01/ip-geolocation-in-the-ipv6-world/
Follow us:
https://www.tiktok.com/@takebackourtech
https://x.com/abovephone
t.me/takebackourtech
https://odysee.com/@takebackourtech:f
Take Back Our Tech is organic content written by real humans and technologists, we do not AI use for content generation. We report on the latest news in information technology through the lens of individual privacy and freedom, and we aim to provide practical solutions in every piece of content. Subscribe as a paid member to our Substack to support us!