There’s no such thing as a great free VPN. Or, rather, there’s only one free VPN you should trust, and that’s the one you’ve set up yourself. Otherwise, any app that promises you a free and secure VPN service is either tracking what you’re doing, sending off information about your activity to advertisers or investing little to nothing in its security.
That’s not say that every paid VPN provider is perfect, but I would avoid free ones like the plague coronavirus. And that’s especially true for SuperVPN, an Android app that racked up more than one hundred million downloads in its time on the Google Play Store. If you have this app or use this app, remove it from your Android right now because it’s garbage—so much so that Google itself has pulled SuperVPN from the Google Play Store.
The sad thing is, we should have seen this coming: VPN information and review resource VPNpro put out a warning about SuperVPN two months ago, writing:
“But besides being a very popular app, there’s something else you need to know about this free VPN: SuperVPN Free VPN Client is also very dangerous. You see, our analysis shows that this app has critical vulnerabilities that opens it up to dangerous attacks known as man-in-the-middle (MITM) hacks. These vulnerabilities will allow hackers to easily intercept all the communications between the user and the VPN provider, letting the hackers see everything the user is doing.
This is actually quite the opposite of what a VPN is supposed to do. A VPN is supposed to keep your online activities private and secure from all snooping eyes. In fact, a VPN is supposed to be so safe that, even if a hacker could intercept these communications, it would take them longer than the age of the universe to even begin to decrypt the data. But that’s not what SuperVPN has done here.”
Though SuperVPN wasn’t the only app VPNpro analysed at the time, it was by far the most popular, with nearly ten times the downloads of other apps on VPNpro’s list. That list, by the way, catalogued a host of VPNs that were all vulnerable to man-in-the-middle attacks; in other words, a list of VPN apps you absolutely should not use. But you shouldn’t have been using them anyway because you shouldn’t never sign up for a free VPN service. Got it?
In the case of SuperVPN, the app got it wrong on a lot of fronts. Its most damning technical problem, eneabling those man-in-the-middle attacks, was that it passed along encrypted information about its own servers that was easily decrypted thanks to the app stupidly hard-coding the key as part of the transmission. (D’oh.)
Browsing the web via more-secure HTPPS connections certainly helps you stay safer against man-in-the-middle attacks, but not every website is configured to use HTTPS—nor does the presence of HTTPS on a site automatically mean that it’s safe and trustworthy. And there are plenty of other fun techniques that man-in-the-middle attacks can use to nip at your security until you cough up useful credentials or other critical data.
VPNpro has a few useful tips for avoiding security disasters when picking your next VPN, including asking yourself:
Do I know this VPN developer or brand? Do they seem trustworthy?
Where is the VPN located? Is it in a privacy-friendly country?
For mobile apps, what permissions are they requiring? Do they actually need those permissions to function (such as the camera, GPS, microphone)?
And, to reiterate, don’t use free VPNs. You should research any VPN you’re considering paying for—and I mean really research it, don’t just read some app store reviews or a single analysis from some VPN-friendly site that might be getting affiliate cash under the table for handing out buckets of praise. Sites that are obsessive about privacy and recommend a scant number of VPNs are great; sites that praise lots of VPNs because of their cost, speeds or UI? Not so much.
Leave a Reply
You must be logged in to post a comment.