What happened?
A recent study by Zimperium zLabs has exposed significant privacy and security flaws in a large number of free VPN apps. Researchers analysed 800 VPN apps for Android and iOS, and found that many failed to deliver the protection users expect, creating serious risks for any organisations operating a "bring your own device" (BYOD) policy.
Testing found that nearly 1% of apps bypass TLS certificate validation entirely, accepting self-signed or malicious certificates; this could enable attackers to intercept all traffic via carefully crafted Man-in-the-Middle (MitM) attacks, undermining one of the core premises of VPN security.
Many requested excessive or unnecessary permissions, including access to microphones, location data, or system logs.
Even more concerningly, some apps still rely on vulnerable libraries, including old versions of OpenSSL affected by CVE-2014-0160, better known as "Heartbleed". This infamous bug, when exploited, could allow attackers to exfiltrate TLS session keys, credentials, and private messages. Despite patches being available for over a decade, these VPNs risk continuing to expose users’ supposedly “encrypted” tunnels to compromise.
Zimperium also found that a number of these apps identified were improperly secured, allowing external applications to query VPN logs, inject malicious configuration profiles, or even potentially phish user credentials. In some cases, unsecured exported components could disable encryption on demand, rerouting traffic through attacker-controlled servers.
So what?
The risks extend well beyond individual users. Vulnerable VPNs can easily sabotage network security and regulatory compliance, with any weak links in enterprise defences potentially exposing sensitive corporate data. As employees shift towards remote or hybrid working, many are no longer constrained to working off managed devices on secured infrastructure - it is not uncommon to use a personal mobile device, often over unsecured networks in public.
The traditional perimeter is gone, and the BYOD reality for remote workers means these findings highlight a concerning reality: VPNs are often treated as “trusted” by default, but this research shows the need for stronger vetting and ongoing monitoring. For technical leaders, this means taking a hard look at the mobile apps permitted in BYOD environments.
What should I do?
As the above concludes, many VPNs ultimately provide very little real security, instead serving as vectors for surveillance, credential theft, and even full device compromise. Visibility into these hidden risks is critical to protecting sensitive enterprise data and maintaining trust in mobile defences.
To ensure that you are not falling afoul of the above, recommendations include:
Educate users: make staff aware of the potential risks that can arise from the use of free VPN apps. Many reputable, enterprise-grade solutions exist, and selecting a secure app is paramount.
Limit app installations: to reduce the attack surface and minimise the risk of compromise, consider restricting devices to the installation of approved applications only.
Implement zero-trust principles: treat all network access as potentially malicious and continuously monitor for suspicious behaviour; do not simply assume that VPN apps are inherently secure by default.
Review app permissions: ensure any installed VPN apps do not request unnecessary access to sensitive data or device features.