White_1
Categories: Cybersecurity, Americas - Featured News
Tags: Zimperium

Zimperium research finds one in four VPN apps fail privacy checks

Zimperium-research-find-one-in-four-VPN-apps-fail-privacy-checks
Picture of Eve Goode

Eve Goode

Share this content

Facebook
Twitter
LinkedIn

Zimperium has released new research from its zLabs team revealing alarming weaknesses in mobile Virtual Private Network (VPN) applications.

While VPNs are marketed as essential privacy tools, Zimperium’s analysis of 800 free Android and iOS apps shows that many actually put users and the enterprises they work for at greater risk.

Findings

  • 25% of iOS VPN apps lacked a valid privacy manifest, violating Apple requirements and leaving users in the dark on how their data is used
  • 6% requested private entitlements, powerful system-level permissions that should never be accessible to third-party apps
  • Multiple VPNs shipped with outdated OpenSSL code still exposed to the notorious Heartbleed vulnerability, a flaw disclosed more than a decade ago
  • Many apps engaged in permission abuse, requesting access to microphones, system logs, or always-on location tracking without justification
  • Some apps were capable of UI screen capture, giving providers or attackers a surveillance vector well beyond their stated function

“New pathways for surveillance, data theft and exploitation”

Ignacio Montamat, VP of Security Research, Zimperium commented: “These apps promise protection but instead create new pathways for surveillance, data theft and exploitation.

“For enterprises with BYOD programs, an insecure VPN isn’t just a consumer problem, it’s an organizational threat that can undermine corporate security at its core.”

Enforcing safety

Zimperium says that its findings also reveal widespread discrepancies between VPN developers’ data practices and their declared privacy policies with many apps failing to disclose sensitive data collection or misrepresenting their use of system APIs.

This lack of transparency leaves end users and IT teams unable to make informed decisions about which apps are safe to trust.

Zimperium states that it recommends enterprises and security leaders take a hard look at the mobile apps allowed in BYOD environments.

With VPNs often treated as “trusted” by default, this research highlights the need for stronger vetting and ongoing monitoring. Visibility into hidden risks from outdated libraries and weak encryption to misleading privacy policies and excessive permissions is critical to protecting sensitive enterprise data and ensuring trust in mobile defenses.

SUBSCRIBE NOW