One of the best friends a user can have in today’s digital age is a virtual private network (VPN). This tool masks a user’s IP address and tunnels their data through a network of servers. In so doing, a VPN helps a user anonymously and more securely browse the web.Unfortunately, not all VPNs fulfill that purpose. A group of researchers from Queen Mary University of London and the University of Rome demonstrated as much back in January 2015. After examining 14 different services, the researchers found that 10 VPNs were susceptible to leaking IPv6 data and all but one were vulnerable to DNS hijacking attacks.Other groups have studied VPNs since then. Most recently, a team consisting of researchers from the University of New South Wales, the University of Berkeley, and Commonwealth Scientific and Industrial Research Organization (CSIRO) analyzed Android-based VPN apps. Their analysis demonstrated that dozens upon dozens of VPNs not only failed to uphold mobile users’ privacy but jeopardized their security as well.Exposed and Vulnerable: A Common Thread among Android VPN UsersFor their study (PDF), the researchers searched on Google’s Play Store for VPN-related apps. They identified a total of 1,488,811 free and paid potential candidates. Next, they obtained each app’s metadata, downloaded the app’s executable, and analyzed its source code and AndroidManifest file. This file is crucial. App users leverage it to request either custom VPN permissions or BIND_VPN_SERVICE, Android’s official VPN permission which exposes an app to and routes all a device’s traffic through a virtual network of servers.Overall, the team identified 283 free Android apps that requested the VPN permission in their AndroidManifest files. Many of those apps exhibited some startling behavior that jeopardized users’ privacy and security. Here’s a sampling of what the researchers found:Lack of EncryptionNearly one-fifth (18 percent) of the apps didn’t use encryption with their tunneling protocols. When coupled with the fact that 84 percent and 66 percent of the apps didn’t tunnel IPv6 and DNS traffic respectively, it becomes clear that many Android VPNs failed to achieve security and anonymity for their users. If anything, they lowered the difficulty of government agents and others abusing those apps to track users’ online movements.Trackers67 percent of the free apps analyzed embedded at least one third-party tracking library in the source code. To a certain extent, these apps relied on advertising and revenue generated from analytics services for funding. By comparison, 65 percent of premium (paid) VPNs apps didn’t come with at least one embedded tracking library at the time of the study.