Many VPN apps on Apple’s App store can’t be trusted, researcher warns

Apple must look into the security and privacy of VPN apps provided by its App Stores

Apple, iOS, iPhone, iPad, Mac, App Store, security, Privacy, Top10VPN, VPN, security
Getty Images

I’m told Apple is at last looking into the privacy and security of free VPN apps made available across its platforms, following a report from researcher, Simon Migliano.

Who owns your VPN service?

The researcher has flagged up several concerns that really should be recognized by anyone choosing a VPN service from both the Apple and Google App Stores:

  • Ownership: Migliano claims that almost 60 percent of the most popular VPN apps are actually owned (sometimes opaquely) by Chinese companies.
  • Privacy: The researcher also found that as many as 77% of these VPN apps may have what he calls “serious privacy flaws”,including no privacy policy at all, generic policies with no mention of VPN or no detailed logging policy.
  • Data protection: Migliano claims Apple is not enforcing its third-party data-sharing ban against VPN apps, with 80 percent of the top free VPN apps “in breach of the rules”, he said. Many are sharing data with third parties, he claims.

That last allegation is particularly concerning.

Has VPN become a honey pot trap?

Think about the nature of VPN services – while they make it much harder for third parties to access/monitor your website traffic while you are using them, they do so by routing traffic via their own servers.

That’s fine when your traffic is kept in a private space, but much less fine when information about what you are doing online is sold on to third parties without any oversight.

These could be data aggregators, hackers, or worse.

Given that anyone using a VPN service is likely to prize privacy and potentially seeks to protect trade secrets or other important confidential data, weak spots in the security provision are a big concern.

Your VPN service provider has good insight into what you do.

Migliano published his data in late 2018.

In his report, he accused both Apple and Google of not doing enough to protect users against second-rate VPN services.

Apple and Google have been informed

“We notified Apple and Google of our updated findings and formally requested they address the privacy risks identified,” he told me.

“To make it as easy as possible for them to resolve the issues, we supplied detailed lists of the apps that required their attention as they still posed a risk to users, along with recommendations on remedial steps to take.”

He explains that Apple is now looking into his claims, though no action has yet been taken.

This follows Apple’s decision in early June  to acknowledge that VPN apps require stricter regulation than other apps.

Apple also banned such apps from sharing any data with third parties, though hasn’t begun enforcing this policy yet, the researcher claims.

“However, unless Apple takes action to enforce these new rules and kick non-compliant apps from its App Store then it’s simply paying lip service to privacy,” he said.

To its shame, given the nature of Miglianos claims, Google has not responded at all at time of writing, the researcher said.

Apple meanwhile has a high-level commitment to protecting user privacy, and recently moved to suspend human checks of Siri conversations.

Hundreds of millions of apps

What makes this all the more concerning is that those apps he has identified as insecure are responsible for over 210 million downloads on Google Play.

Similarly, they are being downloaded 3.8 million times a month via Apple’s App Store, he claims.

All over the world, Internet users are waking up to the need to protect their privacy.

This isn’t just in terms of personal privacy, but as enterprise systems, workflows and infrastructure becomes increasingly digitized, privacy and security protection are becoming essential bulwarks against all manner of cyberthreats.

With this in mind, Migliano said:

“Even putting aside the question of whether there’s cause for concern that Chinese companies have quietly cornered the free VPN market, this category is crying out for proper regulation.

“The privacy boom is happening against a backdrop of growing internet shutdowns around the world, which means conditions are ripe for VPN profiteering.”

What’s the catch?

There’s a catch to all of these claims, of course:

Migliano works for a company called Top10VPN, which claims to test existing VPN services.

This means he certainly has a business case to justify exposing weak or insecure service, but may also mean his claims need to be challenged.

On his part, the researcher says that he is not involved in the commercial side of his company, and is not involved in recommendations the company makes.

Fortunately, if Apple is indeed acting on those claims, his claims will soon be challenged – and (when found appropriate) every user will benefit.

Meanwhile, Migliano's company recommends ExpressVPN, NordVPN and IPVanish VPN, all of which are fee-based. I’ve only used NordVPN, which I liked, but have never used the other services myself.

How to choose a VPN service

Here is a little advice on choosing a VPN. 

  • Always check for information about a company -- is it bona fide? Do they have real addresses, phone numbers and people?
  • Do they have a privacy policy that explains their logging and data retention policies?
  • To they protect against data misuse? They might delete all server logs in real time, for example.
  • Do they provide customer support?
  • Ads-supported products and privacy are not necessarily compatible with VPN.

"If I were pressed to recommend a free VPN, it would be a toss-up between TunnelBear and Windscribe as they operate on the freemium model, which means they don't need to run invasive ad trackers and have revenue to fund a safe network," Migliano said.

Up next?

I’m hoping Apple will look into these claims.

When it does, I’d urge it to figure out some form of kite marking scheme in order that customers choosing to use a VPN service can more easily identify and choose a scheme they can trust, rather than those who subsidize their business by selling your data to data aggregators.

Also read: How to stay as private as possible on Apple's iPad and iPhone.

Updated: Additional information regarding Migliano's work at his company and advice for identifying a VPN service.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Copyright © 2019 IDG Communications, Inc.

9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon