I’m told Apple is at last looking into the privacy and security of free VPN apps made available across its platforms, following a report from researcher, Simon Migliano.
Who owns your VPN service?
The researcher has flagged up several concerns that really should be recognized by anyone choosing a VPN service from both the Apple and Google App Stores:
- Ownership: Migliano claims that almost 60 percent of the most popular VPN apps are actually owned (sometimes opaquely) by Chinese companies.
- Data protection: Migliano claims Apple is not enforcing its third-party data-sharing ban against VPN apps, with 80 percent of the top free VPN apps “in breach of the rules”, he said. Many are sharing data with third parties, he claims.
That last allegation is particularly concerning.
Has VPN become a honey pot trap?
Think about the nature of VPN services – while they make it much harder for third parties to access/monitor your website traffic while you are using them, they do so by routing traffic via their own servers.
That’s fine when your traffic is kept in a private space, but much less fine when information about what you are doing online is sold on to third parties without any oversight.
These could be data aggregators, hackers, or worse.
Given that anyone using a VPN service is likely to prize privacy and potentially seeks to protect trade secrets or other important confidential data, weak spots in the security provision are a big concern.
Your VPN service provider has good insight into what you do.
Migliano published his data in late 2018.
In his report, he accused both Apple and Google of not doing enough to protect users against second-rate VPN services.
Apple and Google have been informed
“We notified Apple and Google of our updated findings and formally requested they address the privacy risks identified,” he told me.
“To make it as easy as possible for them to resolve the issues, we supplied detailed lists of the apps that required their attention as they still posed a risk to users, along with recommendations on remedial steps to take.”
He explains that Apple is now looking into his claims, though no action has yet been taken.
This follows Apple’s decision in early June to acknowledge that VPN apps require stricter regulation than other apps.
Apple also banned such apps from sharing any data with third parties, though hasn’t begun enforcing this policy yet, the researcher claims.
“However, unless Apple takes action to enforce these new rules and kick non-compliant apps from its App Store then it’s simply paying lip service to privacy,” he said.
To its shame, given the nature of Miglianos claims, Google has not responded at all at time of writing, the researcher said.
Apple meanwhile has a high-level commitment to protecting user privacy, and recently moved to suspend human checks of Siri conversations.
Hundreds of millions of apps
What makes this all the more concerning is that those apps he has identified as insecure are responsible for over 210 million downloads on Google Play.
Similarly, they are being downloaded 3.8 million times a month via Apple’s App Store, he claims.
All over the world, Internet users are waking up to the need to protect their privacy.
This isn’t just in terms of personal privacy, but as enterprise systems, workflows and infrastructure becomes increasingly digitized, privacy and security protection are becoming essential bulwarks against all manner of cyberthreats.
With this in mind, Migliano said:
“Even putting aside the question of whether there’s cause for concern that Chinese companies have quietly cornered the free VPN market, this category is crying out for proper regulation.
“The privacy boom is happening against a backdrop of growing internet shutdowns around the world, which means conditions are ripe for VPN profiteering.”
What’s the catch?
There’s a catch to all of these claims, of course:
Migliano works for a company called Top10VPN, which claims to test existing VPN services.
This means he certainly has a business case to justify exposing weak or insecure service, but may also mean his claims need to be challenged.
Fortunately, if Apple is indeed acting on those claims, his claims will soon be challenged – and (when found appropriate) every user will benefit.
I’m hoping Apple will look into these claims.
When it does, I’d urge it to figure out some form of kite marking scheme in order that customers choosing to use a VPN service can more easily identify and choose a scheme they can trust, rather than those who subsidize their business by selling your data to data aggregators.