
Mobile VPN security is not as strong as advertised
A new VPN auditing framework, MVPNalyzer, found many popular Android VPNs transmit sensitive data without encryption, some leak traffic and most fail to protect user IDs.

A new VPN auditing framework, MVPNalyzer, found many popular Android VPNs transmit sensitive data without encryption, some leak traffic and most fail to protect user IDs.
Many digital users rely on Virtual Private Networks (VPNs) to combat security threats, allowing the application to view, intercept and handle all user traffic in return for hiding identifying information from third parties. Yet a new mobile VPN security testing framework—MVPNalyzer—found many popular VPNs breach user trust, according to a University of Michigan Engineering study.
The framework is the first of its kind that can audit mobile VPN apps at scale. The research was presented at the Network and Distributed System Security (NDSS) 2026 Symposium and funded by the National Science Foundation.
Of the 281 popular Android VPN apps tested, 29 VPNs leaked DNS and browser traffic, defeating the purpose of a VPN. Over 20% of the VPNs transfer unencrypted content and more than 60% fail to implement basic security hardening.
“Our motivation comes from seeing how many people rely on VPNs for privacy and security, while many apps fail to uphold even basic protections. We want to make it possible for users, regulators and researchers to see what’s actually happening under the hood, so they can make informed choices and pressure industry to do better,” said Roya Ensafi, an associate professor of computer science and engineering at U-M and senior author of the study.
Up to this point, most VPN quality testing relied on isolated case studies, often on desktop VPNs, leaving mobile VPN security unexamined.
The research team designed MVPNalyzer to automate and standardize mobile VPN security assessment. Importantly, the framework is modular and extendable, meaning the framework can adapt along with security threats.
Unlike existing approaches, MVPNalyzer inspects multiple network layers and configuration files, revealing leaks and vulnerabilities that manual or surface-level checks often miss.
Specifically, MVPNalyzer determines whether apps:
“By automating analysis across network layers and configurations, we can uncover vulnerabilities affecting millions of users and hold app developers accountable,” said Aaron Ortwein, a doctoral student of computer science and engineering at U-M and co-lead author of the study.

Many of the 281 popular Android VPN apps tested fail at basic security and some even leak user data, defeating the purpose of why a user downloaded a VPN in the first place.
The researchers found 61 VPNs transmit traffic, including sensitive configuration files and traffic containing the user’s geolocation, unencrypted or outside the VPN tunnel. This exposes users to surveillance, attacks and hijacking by malicious actors.
Analyses found 76 VPNs send device-specific identifiers like the Advertising ID and other device data to third parties, enabling persistent tracking and fingerprinting. This undermines promises of privacy or anonymity often made by VPN apps.
Of the 108 apps the researchers could obtain configuration files to analyze, 107 of them misuse or ignore recommended VPN configuration and encryption standards. Many employ weak or outdated security settings and lack proper authentication, putting hundreds of millions of users at risk.
For end users, these findings demonstrate that not all VPNs are equally safe, helping consumers to make informed choices. Moving forward, MVPNalyzer can help regulators and consumer protection agencies systematically identify security and privacy risks in mobile VPN apps, guiding standards and policy.
“This brings much-needed transparency to an ecosystem that’s often opaque to both researchers and the public,” said Wayne Wang, a doctoral student of computer science and engineering at U-M and co-lead author of the study.
The framework can also help researchers develop new tools and benchmarks for securing network traffic and evaluating app behavior. App developers can leverage MVPNalyzer to proactively audit their apps and adopt best practices, reducing vulnerabilities while building user trust.
Beyond VPNs, this framework structure could be extended to audit other privacy-critical mobile apps, like messaging or health platforms.
This research was supported by the National Science Foundation (CNS2452883 and CNS-2452884).