In China, using a VPN is vital for any netizen who wishes to bypass the Great Firewall to access websites and content censored by Beijing.
A VPN, or virtual private network, is a service that allows users to obtain free information through a secure connection. The services typically hide one’s IP address and encrypt the data sent or received over the internet, diverting traffic through a remote server.
Free VPN apps, available on Apple’s App Store and Google’s Android Play Store, have been downloaded by millions of users around the world.
Many such apps either have privacy policies that explicitly say data can be collected and transferred to China or other third parties, vaguely worded policies that lack important security details, or in some cases, no policy at all.
Top10VPN.com found that 17 of the top 30 apps, or 59 percent, on the U.S. and U.K. Apple and Google app stores have links to China.
In total, Chinese-backed apps have more than 80 million total downloads on the Google Play store and over four million monthly downloads on Apple’s equivalent.
As these apps are available to download around the world, citizens everywhere who use these apps and rely on them as a secure way to surf the web on their smartphones are now vulnerable.
In China, where the Chinese Communist Party has broad power over all sectors of society, “these are risky apps to use regardless of their ownership. They are very poor products that lack proper privacy protections and are likely to leave them [Chinese netizens] exposed to government surveillance even as they consider themselves safe,” said Simon Migliano, head of research at Top10VPN.com, in an email.
Curiously, the Chinese regime enacted a ban that went into effect in March, prohibiting the use of non-government-approved VPNs. The only authorized VPNs are those provided by state-owned firms—and even those are restricted for use only by companies that require unrestricted internet access in order to do business.
To comply with the VPN ban, in July 2017, Apple removed all VPN apps from its China app store.
So “the only way a Chinese netizen could download these apps would be either via a VPN, or while overseas,” said Migliano. Similarly, while the Google Play store is blocked in China, a user could access it via VPN to download the apps.
As such, Top10VPN was unable to provide data on how many free VPN app users were from China.
Apple and Google are ultimately responsible for vetting the apps on their platform, Migliano said.
Shady Companies
According to the report, VPN apps are the most searched-for category of apps after major social-media platforms such as Facebook and gaming apps. But the majority of free VPN apps appearing in top search results go to great lengths to obscure their company information.For example, three popular apps, VPN Master, Turbo VPN, and Snap VPN, are closely associated and trace back to three companies registered in Singapore but with links to China. They have a combined 14 million Android installs and 1.1 million Apple iOS installs.
One of the registered companies, Innovative Connecting, is owned by an influential Chinese entrepreneur, Chen Danian. Despite no public associations with the VPN company, Chen is listed as a director of the company in Singapore corporate filings, according to the report.
The three VPN apps all have a privacy policy explicitly stating, “Our business may require us to transfer your Personal Data to countries outside of the European Economic Area (‘EEA’), including to countries such as the People’s Republic of China or Singapore.”
SkyVPN’s privacy policy worryingly says the app may automatically collect a slew of information about the device, such as “an Android, Apple iOS, or other ID, device maker and model, mobile web browser type and version, IP address, MAC address, the operating system’s maker and version, location information, MCC (Mobile Country Code) information, the mobile application name, a list of mobile applications installed on your device and other technical data about your device.” The app is tied to a company registered in Hong Kong with a mainland Chinese address and shareholder.
Surprisingly, one of the apps, VPN Super Unlimited Proxy, traces to a company whose corporate address is located within a well-known tech incubator in Beijing: the Dongsheng Science and Technology Park.
Other VPN apps, such as Super VPN Free VPN Client, which has 50 million downloads on Android, have no website. Its registered address in Singapore is part of a university campus, and likely is fake.