Free is nice — until it’s not. In a study of over 800 no-cost virtual private networks, a cybersecurity team found that nearly two-thirds relied on vulnerable coding and put consumers’ data and privacy at risk. The investigation by Zimperium zLabs, a mobile security company, looked at VPNs for both Android and iOS, and found that hundreds offered no real privacy, required risky permissions, leaked personal data and used outdated and vulnerable code.
Don’t miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.
Zimperium zLabs said these issues are very problematic for companies with bring-your-own-device policies.
“These mobile VPN apps, even popular ones, can become the weakest link in an organization’s security posture, exposing sensitive business data to unnecessary risk,” the report said.
Read more: How Do You Sell People on VPNs? Just Say ‘VPN’ Over and Over and Over Again
What’s a VPN?
In theory, a VPN — short for virtual private network — is software that encrypts the data transmitted over your computer’s network connection. Your internet traffic is routed through a protected server in a remote location before it’s sent to the website or app you’re attempting to access.
This encryption prevents your ISP from knowing the websites and apps you’re using, and websites and apps can’t tell who your ISP is, improving your online privacy. It’s also a way of hiding your physical location, which many internet users take advantage of to access services that aren’t otherwise available in their country or state.
Read more: The Best VPNs of 2025 | 6 Reasons to Use a VPN
Phishing attacks and screenshot captures
Zimperium zLabs found that some problematic VPNs could capture screenshots of the user interface, taking images of what you see on your screen. That could include sensitive emails, data and photos.
The investigation also found that some VPNs were vulnerable to insecure activity launch, meaning attackers could bypass the device’s security checks. This could leave the system open to phishing, disable encryption or make it look like a VPN is active when it’s actually not.
The Zimperium report also identified permission-abuse issues. Granting too much permission can allow bad actors to do things such as add or remove accounts, change passwords or gain access to other services without passwords.
Another problem was VPN transparency. Several VPN apps for iOS did not comply with Apple’s requirements that developers must state how customer data will be used and justify how and why they are accessing sensitive data.
Zimperium found that 25% of the VPN apps it examined did not include valid privacy manifests. As a result, consumers could be at risk for profiling, reidentification or monetization.
‘Be incredibly wary’
CNET Senior Writer Attila Tomaschek advises that anyone considering a free VPN “should be incredibly wary” and read the fine print.
“It’s important to look through the provider’s privacy policy to determine how the company handles your data,” Tomaschek says. “If the company shares or sells your data to advertisers, data brokers or other third parties, or if it keeps logs of your online activity, find a different VPN.”
Tomaschek recommends using a VPN with a free plan subsidized by a premium, paid subscription tier.
“With a strictly free VPN, you are the product,” he says. “The only free VPN CNET recommends is Proton VPN’s free tier, which is supported by the company’s premium products and doesn’t compromise on privacy.”
Read the full article here
