About 29% of VPN users rely on free options, and they are doing so in a market where the distance between a trustworthy free tier and a genuinely harmful one is larger than it has ever been - while app store listings have grown better at hiding that distance. The challenge is not the price point itself. It is the business model behind it, and understanding that distinction is the only reliable way to make a safe choice.
When No Revenue Is Visible, You Are Usually the Revenue
Running a VPN requires real infrastructure: servers, bandwidth, engineering, and ongoing security maintenance. An app offering all of that at zero cost is covering those expenses somewhere. Across multiple independent audits and documented incidents, the most common answer has been user data - browsing history, app usage patterns, and device identifiers sold to data brokers and advertising networks. An app doing that is not protecting your privacy. It is monetizing it.
The documented incidents are specific and worth knowing. A security analysis by Zimperium zLabs examined around 800 free VPN apps available on official app stores and found widespread problems: outdated third-party code with known vulnerabilities, permission requests that far exceeded anything a VPN function requires, and in some cases the technical capability to silently capture screenshots of the user's screen. A VPN app that can record your screen has completely inverted its stated purpose.
Beyond research findings, a single breach in 2021 exposed credentials from three free VPN apps - SuperVPN, GeckoVPN, and ChatVPN - affecting 21 million users. The overlap pointed to shared infrastructure and weak data custody across all three. Hola VPN was separately caught routing its free users' traffic through a paid sister network, effectively turning customers into exit nodes for a commercial product without their knowledge or consent. These are not edge cases. They are the logical outcome of apps with no other visible path to revenue.
The single most useful question to ask before downloading any free VPN is this: is this a free tier offered by a provider that also runs a paid product? Or is it a standalone free app with no clear business model? The first type has every commercial incentive to protect your data, because a paying customer base depends on trust. The second type has the opposite incentive.
The Platform You Use Changes Your Risk Profile Significantly
The device in your pocket is a meaningful variable here. Apple's App Store review process applies notably stricter scrutiny to VPN submissions than the equivalent process at Google Play. iOS apps face additional review around privacy disclosures, data collection practices, and how the app handles network traffic. That review burden filters out a significant portion of the more harmful options. The free VPN pool on iOS is smaller, but it is, on balance, cleaner.
Android's more open ecosystem creates a wider selection and a correspondingly wider range of risks. Google has explicitly warned about malicious apps disguised as VPNs delivering malware and spyware, including remote access tools and credential stealers. Sideloading - installing apps from outside the Play Store entirely - is technically possible on Android in ways iOS does not permit, and that gap is exploited regularly. If you are on Android, the official Play Store represents a baseline minimum, not a guarantee. You still need to audit permissions before installation.
The Permissions Screen Most Users Skip Past
When installing an app on Android, the operating system displays what the app is requesting access to. Most users tap through without reading it. For a VPN, this screen matters more than the listing description ever will.
A VPN application has no legitimate operational need for access to your camera, microphone, contacts, or call log. None. If an app requests any of those during installation, the installation should stop there. The expected permissions for a VPN are narrow:
- Network access
- VPN service designation
- Foreground service notification
Anything beyond that category warrants a direct explanation in the privacy policy. If the privacy policy does not provide one - or if it consists largely of vague assurances rather than specific disclosures about what is collected, in what form, and for how long - that vagueness is itself informative. On iOS, the system restricts what permissions apps can even request, which is part of why the platform risk is lower. But the same principle applies: read what the privacy policy says about data collection, not what the listing headline promises.
What a Free VPN Should Realistically Offer - and What It Will Not
Free does not have to mean compromised on the fundamentals. A free tier worth using should meet certain baseline standards without exception.
- A no-logs policy with specifics. The policy should state what data is collected, in what form, and how long it is retained. Phrases like "we respect your privacy" carry no meaningful information and should be treated as evasions.
- A kill switch. This feature cuts your internet connection entirely if the VPN tunnel drops, preventing your real IP address from being exposed during a lapse. It is uncommon in free tiers, which makes its presence a meaningful signal about how seriously the provider treats security.
- WireGuard protocol support. WireGuard is now a widely reviewed, industry-trusted standard for mobile security and connection speed. A free VPN still defaulting exclusively to older protocols without offering WireGuard as an option raises a fair question about the provider's technical investment.
What a legitimate free tier will not provide is the full product. Premium server locations, dedicated streaming servers, maximum speeds, and unlimited simultaneous connections sit behind a paywall in every credible free offering. That is a fair and honest trade-off. An app that promises all of those features at no cost, indefinitely, with no paid alternative in sight, is not describing a business. It is describing a trap.
