Study warns free VPN apps pose severe risks

Multiple cybersecurity weaknesses have been plaguing free VPN software on Android and iOS, potentially jeopardizing corporate and personal data, according to Infosecurity Magazine.

Apart from some VPN apps still using OpenSSL versions vulnerable to HeartBleed, nearly 1% of the apps enabled man-in-the-middle intrusions, while many sought excessive permissions, a Zimperium zLabs research found. On iOS in particular, over 6% of apps sought private entitlements that could provide unusually deep system access, while a quarter also lacked a proper privacy manifest, despite being mandated by Apple.

Researchers conclude that many free VPN apps fail to protect users and can instead expose them to surveillance, full device compromise, and credential theft.

"Organizations need a multi-layered response. Endpoint visibility and management is table stakes […] what is rapidly becoming a requirement is the need for web content-level data security," said Brandon Tarbet, director of IT and security at Menlo Security.