Many digital users rely on Virtual Private Networks (VPNs) to combat security threats, allowing the application to view, intercept and handle all user traffic in return for hiding identifying information from third parties. Yet a new mobile VPN security testing framework—MVPNalyzer—found many popular VPNs breach user trust, according to a University of Michigan Engineering study.
Image: Markus Spiske - Unsplash
The framework is the first of its kind that can audit mobile VPN apps at scale. The research was presented at the Network and Distributed System Security (NDSS) 2026 Symposium and funded by the National Science Foundation.
Of the 281 popular Android VPN apps tested, 29 VPNs leaked DNS and browser traffic, defeating the purpose of a VPN. Over 20% of the VPNs transfer unencrypted content and more than 60% fail to implement basic security hardening.
“Our motivation comes from seeing how many people rely on VPNs for privacy and security, while many apps fail to uphold even basic protections. We want to make it possible for users, regulators and researchers to see what’s actually happening under the hood, so they can make informed choices and pressure industry to do better,” said Roya Ensafi, an associate professor of computer science and engineering at U-M and senior author of the study.
Systematic mobile VPN security testing
Up to this point, most VPN quality testing relied on isolated case studies, often on desktop VPNs, leaving mobile VPN security unexamined.The research team designed MVPNalyzer to automate and standardize mobile VPN security assessment. Importantly, the framework is modular and extendable, meaning the framework can adapt along with security threats.
Unlike existing approaches, MVPNalyzer inspects multiple network layers and configuration files, revealing leaks and vulnerabilities that manual or surface-level checks often miss.
Specifically, MVPNalyzer determines whether apps:
- Properly tunnel user traffic without leakage
- Use secure and robust communication channels
- Use hardened security configurations
- Exfiltrate sensitive user or device information to third parties
- Provide any kind of protection against detection, especially when they make strong claims of unblockability
Many mobile VPNs do not work as advertised
Many of the 281 popular Android VPN apps tested fail at basic security and some even leak user data, defeating the purpose of why a user downloaded a VPN in the first place.The researchers found 61 VPNs transmit traffic, including sensitive configuration files and traffic containing the user’s geolocation, unencrypted or outside the VPN tunnel. This exposes users to surveillance, attacks and hijacking by malicious actors.
Analyses found 76 VPNs send device-specific identifiers like the Advertising ID and other device data to third parties, enabling persistent tracking and fingerprinting. This undermines promises of privacy or anonymity often made by VPN apps.
Of the 108 apps the researchers could obtain configuration files to analyze, 107 of them misuse or ignore recommended VPN configuration and encryption standards. Many employ weak or outdated security settings and lack proper authentication, putting hundreds of millions of users at risk.
Safeguarding mobile VPN consumers
For end users, these findings demonstrate that not all VPNs are equally safe, helping consumers to make informed choices. Moving forward, MVPNalyzer can help regulators and consumer protection agencies systematically identify security and privacy risks in mobile VPN apps, guiding standards and policy.“This brings much-needed transparency to an ecosystem that’s often opaque to both researchers and the public,” said Wayne Wang, a doctoral student of computer science and engineering at U-M and co-lead author of the study.
The framework can also help researchers develop new tools and benchmarks for securing network traffic and evaluating app behavior. App developers can leverage MVPNalyzer to proactively audit their apps and adopt best practices, reducing vulnerabilities while building user trust.
Beyond VPNs, this framework structure could be extended to audit other privacy-critical mobile apps, like messaging or health platforms.
This research was supported by the National Science Foundation (CNS2452883 and CNS-2452884).
Reviewed by Irfan Ahmad.
This article was originally published by the University of Michigan Engineering and republished here with permission.
Read next: Study Finds AI-Generated Faces Rated More Trustworthy Than Real Faces, Raising Online Fraud and Misinformation Concerns
by External Contributor via Digital Information World

No comments:
Post a Comment