Months ago, we told readers about the importance of using a VPN on their iPhones, and while those lessons do apply to Android devices—a VPN for Android will encrypt your Android’s web activity and app traffic, and it will stop your mobile carrier from monetizing your data—Android users should caution against one particular risk: That of the free VPN app.

In just the past year, free VPN for Android apps have exposed the data of as many as 41 million users, revealing consumers’ email addresses, payment information, clear text passwords, device IDs, and more. Investigations into one of those free VPN Android apps also revealed that it may have been part of a larger web of Android VPNs all operating under the same company—a company that was nearly impossible to reach for customer support, borrowed liberally from other company privacy policies, and failed to meet its promises to keep “no logs” of user activity. And while poorly built VPNs are not reserved only for Android devices, Android users in particular should wade cautiously through the Google Play Store, where countless VPN apps demarcate themselves under bland terminology such as “ultimate,” “super,” “fast,” and, of course, “free.”

In reality, a secure, trustworthy VPN Android app is rarely, if ever, free, and that’s largely because the actual work that goes into running a secure VPN service costs money. As Malwarebytes senior security research JP Taggart said on our podcast Lock and Code:

“Deploying a VPN service is, you know, it requires infrastructure. It requires servers, it requires staff, it requires coders to make sure that it’s done properly or that it’s done the way you want it to work,” Taggart said. “All of that has to be paid. All these people that work on [the VPN service], nobody is going to do it for free. No one is that altruistic.”

There is no best free VPN for Android

Searching for a VPN app shouldn’t be so hard, but it is. A quick query in the Google Play store conjures up at least 250 results, and, without any knowledge of the VPN industry, it can be difficult to know which app to trust. For users taking their first steps into learning about VPNs, the temptation to download any of the countless free VPN Android apps is high.

But some of those free apps are the same ones with a poor track record of protecting user data.

In February of this year, a cybercriminal claimed to have stolen user data from three, separate VPN apps available on the Google Play Store: SuperVPN, GeckoVPN, and ChatVPN. The cybercriminal said on an online hacking forum that they’d managed to swipe email addresses, usernames, full names, country names, randomly generated password strings, payment-related data, and whether a user was a “Premium” member, along with that “Premium” membership’s expiration date. Follow-on reporting from the tech outlet CyberNews also revealed that the stolen data included device serial numbers, phone type and manufacturer information, device IDs, and device IMSI numbers.  

The impact of such a data breach is hard to measure, because it goes beyond just the harm caused to the victims. At risk here is also the trust that users are expected to place in a service that is specifically advertised as a privacy and security measure.

Troy Hunt, the founder of the data breach website HaveIBeenPwned, called the breach “a mess” on Twitter, saying that it was a “timely reminder of why trust in a VPN provider is so crucial.”

“This level of logging isn’t what anyone expects when using a service designed to *improve* privacy,” Hunt said, “not to mention the fact they then leaked all the data.”

But for one of the VPN Android apps, SuperVPN, it was actually the second time it had been named in a cybersecurity mishap.

In July, 2020, cybersecurity researchers at vpnMentor published a report that showed that  seven VPN Android apps had left 1.2 terabytes of private user data exposed online. According to the report, the data belonged to as many as 20 million users, and it included email addresses, clear text passwords, IP addresses, home addresses, phone models, device IDs, and Internet activity logs.

Particularly upsetting in this discovery was the fact that all of the seven VPN Android apps had promised to keep “no logs” of user activity—a provably false claim since vpnMentor actually found user logs in its research. The VPNs named in the report were UFO VPN, Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN.

In its investigation, vpnMentor also proposed that the seven VPN Android apps were likely made by the same developer, as the VPN services shared a common Elasticsearch server, along with the same payment recipient, Dreamfii HK Limited. Three of the VPN apps also featured branding and website layouts that looked similar to one another.

These are known privacy and security failures, and they just so happen to afflict free VPN for Android apps. A free VPN may cost nothing out of your pocket, but it could cost your privacy a lot more.  

We can’t tell you the best VPN for Android, free or not free

We’ve told you the bad news—free Android VPNs are too big a risk to take. Now, understandably, you might ask about the good news—what VPN Android app should I use?

Unfortunately, we can’t recommend any VPN Android app, and that’s because what VPNs offer— which are varying privacy protections—are not uniformly valuable to every user.

For instance, for users who want to protect their Internet activity while connecting to a public WiFi hotspot, VPNs offer a strong solution to that, as VPN services encrypt web traffic and make it incomprehensible to digital eavesdroppers. Also, for users who want to access content that is geo-restricted, VPNs also offer a helpful workaround, as they can make a user’s Internet traffic appear as though it is originating from another location.

But where VPN value starts to differentiate is in the realm of privacy, and that’s because, as we’ve learned in recent years, privacy could mean something different for every user. For some users, privacy might mean hiding their Internet traffic from their Internet Service Provider, which a VPN can do. But for other users, privacy might mean keeping their sensitive data from today’s enormous social media companies, which a VPN cannot do. Or it might mean stopping cross-site tracking across the Internet, which, again, a VPN cannot do.

But do not worry if you’re still looking for help, because we can recommend the same advice we did earlier this year for anyone looking for the right VPN for themselves.

Think about how you’ll use the VPN service and look for a variety of features, like the ease of use, the connection speed, any potential data limits, the availability of customer support, and the VPN’s policy on keeping user logs. With the right info, you’ll be protecting yourself in no time.

Just remember, if you’re willing to take your privacy seriously, you should also be willing to spend a little money on it.