Majority of Popular Free VPN Apps Owned by Chinese Firms Susceptible to User Data ‘Harvesting’

Majority of Popular Free VPN Apps Owned by Chinese Firms Susceptible to User Data ‘Harvesting’
Chinese authorities had announced that all unrecognised VPN services would be blocked by March 31, meaning that Chinese and foreign companies must choose from a limited number of state-approved VPNs. / AFP PHOTO / FRED DUFOUR Photo credit should read FRED DUFOUR/AFP/Getty Images
Annie Wu
Updated:

In China, using a VPN is vital for any netizen who wishes to bypass the Great Firewall to access websites and content censored by Beijing.

A VPN, or virtual private network, is a service that allows users to obtain free information through a secure connection. The services typically hide one’s IP address and encrypt the data sent or received over the internet, diverting traffic through a remote server.

Free VPN apps, available on Apple’s App Store and Google’s Android Play Store, have been downloaded by millions of users around the world.

But a new report by VPN review site Top10VPN.com investigating the companies behind these apps has revealed something disturbing: The majority of the most popular free VPN apps trace their ownership to Chinese companies.

Many such apps either have privacy policies that explicitly say data can be collected and transferred to China or other third parties, vaguely worded policies that lack important security details, or in some cases, no policy at all.

Top10VPN.com found that 17 of the top 30 apps, or 59 percent, on the U.S. and U.K. Apple and Google app stores have links to China.

In total, Chinese-backed apps have more than 80 million total downloads on the Google Play store and over four million monthly downloads on Apple’s equivalent.

As these apps are available to download around the world, citizens everywhere who use these apps and rely on them as a secure way to surf the web on their smartphones are now vulnerable.

In China, where the Chinese Communist Party has broad power over all sectors of society, “these are risky apps to use regardless of their ownership. They are very poor products that lack proper privacy protections and are likely to leave them [Chinese netizens] exposed to government surveillance even as they consider themselves safe,” said Simon Migliano, head of research at Top10VPN.com, in an email.

Curiously, the Chinese regime enacted a ban that went into effect in March, prohibiting the use of non-government-approved VPNs. The only authorized VPNs are those provided by state-owned firms—and even those are restricted for use only by companies that require unrestricted internet access in order to do business.

While Beijing has recently cracked down on unauthorized VPN use within its borders, the Chinese-linked VPN apps investigated in the report—none of which are officially approved by Beijing—have been allowed to operate uninhibited.
The app SuperVPN on the Google Play store. (Screenshot)
The app SuperVPN on the Google Play store. Screenshot

To comply with the VPN ban, in July 2017, Apple removed all VPN apps from its China app store.

So “the only way a Chinese netizen could download these apps would be either via a VPN, or while overseas,” said Migliano. Similarly, while the Google Play store is blocked in China, a user could access it via VPN to download the apps.

As such, Top10VPN was unable to provide data on how many free VPN app users were from China.

Apple and Google are ultimately responsible for vetting the apps on their platform, Migliano said.

“This is a dereliction of duty from Apple and Google, whose lax controls are potentially leaving their customers open to wholesale data harvesting,” Migliano said in a press release.

Shady Companies

According to the report, VPN apps are the most searched-for category of apps after major social-media platforms such as Facebook and gaming apps. But the majority of free VPN apps appearing in top search results go to great lengths to obscure their company information.

For example, three popular apps, VPN Master, Turbo VPN, and Snap VPN, are closely associated and trace back to three companies registered in Singapore but with links to China. They have a combined 14 million Android installs and 1.1 million Apple iOS installs.

One of the registered companies, Innovative Connecting, is owned by an influential Chinese entrepreneur, Chen Danian. Despite no public associations with the VPN company, Chen is listed as a director of the company in Singapore corporate filings, according to the report.

The three VPN apps all have a privacy policy explicitly stating, “Our business may require us to transfer your Personal Data to countries outside of the European Economic Area (‘EEA’), including to countries such as the People’s Republic of China or Singapore.”

Chen is also founder and CEO of LinkSure Network, a publicly listed company in China. The company’s website names several connections to the Chinese regime: It is a member of the Internet Society of China, an association of private internet companies administered by Beijing’s censorship authority, the Cyberspace Administration. It’s also a participant of Beijing’s “poverty alleviation” efforts through internet connectivity, also initiated by the Cyberspace Administration.

SkyVPN’s privacy policy worryingly says the app may automatically collect a slew of information about the device, such as “an Android, Apple iOS, or other ID, device maker and model, mobile web browser type and version, IP address, MAC address, the operating system’s maker and version, location information, MCC (Mobile Country Code) information, the mobile application name, a list of mobile applications installed on your device and other technical data about your device.” The app is tied to a company registered in Hong Kong with a mainland Chinese address and shareholder.

Surprisingly, one of the apps, VPN Super Unlimited Proxy, traces to a company whose corporate address is located within a well-known tech incubator in Beijing: the Dongsheng Science and Technology Park.

Other VPN apps, such as Super VPN Free VPN Client, which has 50 million downloads on Android, have no website. Its registered address in Singapore is part of a university campus, and likely is fake.

The presence of such VPN developers is unsettling given that Chinese authorities have also jailed VPN operators for selling or developing “unauthorized” VPN software. As recently as October, a VPN developer was sentenced to a three-year suspended prison term.
In recent weeks, Chinese netizens who have used a VPN to access Twitter and post comments critical of the Chinese regime have been interrogated, arrest, and detained by local police. They were also forced to close down their accounts.
Annie Wu
Annie Wu
Author
Annie Wu joined the full-time staff at the Epoch Times in July 2014. That year, she won a first-place award from the New York Press Association for best spot news coverage. She is a graduate of Barnard College and the Columbia University Graduate School of Journalism.
twitter
Related Topics