A schematic of a phone using a virtual private network for a Google search. Arrows demonstrate that while some traffic goes to VPN protected servers, some traffic leaks to external websites, trackers and ads.

Mobile VPN security is not as strong as advertised

A new VPN auditing framework, MVPNalyzer, found many popular Android VPNs transmit sensitive data without encryption, some leak traffic and most fail to protect user IDs.

  • MVPNalyzer, developed by University of Michigan Engineering, systematically audits hundreds of mobile VPNs simultaneously.
  • Many Android VPNs do not protect users’ data and privacy as promised, but leak user data, fail at basic security and allow widespread tracking and fingerprinting.
  • Mobile VPN security suffers widespread developer negligence and weak industry oversight, but MVPNalyzer provides a tool to help researchers, regulators and even app developers audit privacy and security at scale.

Many digital users rely on Virtual Private Networks (VPNs) to combat security threats, allowing the application to view, intercept and handle all user traffic in return for hiding identifying information from third parties. Yet a new mobile VPN security testing framework—MVPNalyzer—found many popular VPNs breach user trust, according to a University of Michigan Engineering study.

The framework is the first of its kind that can audit mobile VPN apps at scale. The research was presented at the Network and Distributed System Security (NDSS) 2026 Symposium and funded by the National Science Foundation.

Of the 281 popular Android VPN apps tested, 29 VPNs leaked DNS and browser traffic, defeating the purpose of a VPN. Over 20% of the VPNs transfer unencrypted content and more than 60% fail to implement basic security hardening.  

“Our motivation comes from seeing how many people rely on VPNs for privacy and security, while many apps fail to uphold even basic protections. We want to make it possible for users, regulators and researchers to see what’s actually happening under the hood, so they can make informed choices and pressure industry to do better,” said Roya Ensafi, an associate professor of computer science and engineering at U-M and senior author of the study.

Systematic mobile VPN security testing

Up to this point, most VPN quality testing relied on isolated case studies, often on desktop VPNs, leaving mobile VPN security unexamined.

The research team designed MVPNalyzer to automate and standardize mobile VPN security assessment. Importantly, the framework is modular and extendable, meaning the framework can adapt along with security threats.

Unlike existing approaches, MVPNalyzer inspects multiple network layers and configuration files, revealing leaks and vulnerabilities that manual or surface-level checks often miss.

Specifically, MVPNalyzer determines whether apps: 

  • Properly tunnel user traffic without leakage
  • Use secure and robust communication channels
  • Use hardened security configurations
  • Exfiltrate sensitive user or device information to third parties
  • Provide any kind of protection against detection, especially when they make strong claims of unblockability

“By automating analysis across network layers and configurations, we can uncover vulnerabilities affecting millions of users and hold app developers accountable,” said Aaron Ortwein, a doctoral student of computer science and engineering at U-M and co-lead author of the study.

A schematic of a phone using a virtual private network for a Google search. Arrows demonstrate that while some traffic goes to VPN protected servers, some traffic leaks to external websites, trackers and ads.
A new mobile VPN security testing framework developed by University of Michigan Engineering finds that many Android VPNs do not protect users’ data as privacy as promised. The tool can help researchers, regulators and app developers audit privacy and security at scale. Credit: Wayne Wang et al., 2026.

Many mobile VPNs do not work as advertised

Many of the 281 popular Android VPN apps tested fail at basic security and some even leak user data, defeating the purpose of why a user downloaded a VPN in the first place. 

The researchers found 61 VPNs transmit traffic, including sensitive configuration files and traffic containing the user’s geolocation, unencrypted or outside the VPN tunnel. This exposes users to surveillance, attacks and hijacking by malicious actors.

Analyses found 76 VPNs send device-specific identifiers like the Advertising ID and other device data to third parties, enabling persistent tracking and fingerprinting. This undermines promises of privacy or anonymity often made by VPN apps.

Of the 108 apps the researchers could obtain configuration files to analyze, 107 of them misuse or ignore recommended VPN configuration and encryption standards. Many employ weak or outdated security settings and lack proper authentication, putting hundreds of millions of users at risk.

Safeguarding mobile VPN consumers

For end users, these findings demonstrate that not all VPNs are equally safe, helping consumers to make informed choices. Moving forward, MVPNalyzer can help regulators and consumer protection agencies systematically identify security and privacy risks in mobile VPN apps, guiding standards and policy.

“This brings much-needed transparency to an ecosystem that’s often opaque to both researchers and the public,” said Wayne Wang, a doctoral student of computer science and engineering at U-M and co-lead author of the study.

The framework can also help researchers develop new tools and benchmarks for securing network traffic and evaluating app behavior. App developers can leverage MVPNalyzer to proactively audit their apps and adopt best practices, reducing vulnerabilities while building user trust.

Beyond VPNs, this framework structure could be extended to audit other privacy-critical mobile apps, like messaging or health platforms. 

This research was supported by the National Science Foundation (CNS2452883 and CNS-2452884).