Republished on June 29 with additional analysis on the national security threat.

Tens of millions of Android and iPhone users are being warned they have installed free apps that leave them at serious risk. Those users could now be sending their sensitive data to companies under the control of the Chinese government.

Earlier this week, I reported on the list of iPhone and Android apps issued by the Tech Transparency Project (TTP). These are all VPNs — virtual private networks. Apps which are meant to make users safer and more secure but are doing the very opposite.

“Millions of Americans have downloaded apps that secretly route their internet traffic through Chinese companies,” TTP says. It last reported on this threat in April, and now says “Apple and Google app stores continue to offer private browsing apps that are surreptitiously owned by Chinese companies… six weeks after they were identified.”

ForbesSamsung’s Next Android Upgrade—‘Even Better’ Than PixelBy Zak Doffman

A raft of warnings now have followed that report, urging users to delete the apps. “The risks are too great” to keep them on your phone, warns Top10VPNs Simon Migliano. “In light of these findings, I strongly urge users to avoid Chinese-owned VPNs altogether.”

For its part, Google says it is “committed to compliance with applicable sanctions and trade compliance laws. When we locate accounts that may violate these laws, our related policies or Terms of Service, we take appropriate action.”

While Apple makes similar assurances, and says it enforces App Store rules but does not differentiate its handling of apps by the location of their developers. It does say where VPNs are concerned that data sharing with third parties is prohibited.

vpnMentor’s Lisa Taylor says this is “no surprise,” that “China usually uses different methods to gain other countries’ citizen’s personal information, most of which are often covered behind a legal front.” And that “free VPNs are perfect cover up to these kind of operations,” often recording user activity even when they say they don’t.

BeyondTrust’s James Maude agrees. “If you aren’t paying for a product, you are the product. These VPN services are a perfect example of the hidden costs of free apps where users seeking more privacy online are potentially unknowingly feeding data to a foreign nation state out of fear their local coffee shop Wi-Fi is spying on them.”

While Black Duck’s Vijay Dilwale calls TTP’s report “a sobering wake-up call that VPNs, which claim to protect privacy, can pose very serious security risks, especially when their true ownership is hidden. These apps have access to all user traffic, and when handled by Chinese-based entities, the implications are well beyond individual privacy.”

TTP reports that all of the VPNs it has identified “are listed as free in the app stores. But during TTP’s May spot check, researchers observed that some of the VPNs offered in-app purchases on top of whatever users get with the ‘free’ app.”

This lack of transparency, Taylor told me, “is one of the main reasons why we do not recommend free VPNs and we are concerned that with all the content restrictions throughout the world, people are flocking to free VPNs.”

Migliano says “true internet freedom and privacy depend on transparency and trust. Yet despite being made aware of glaring privacy failures and opaque corporate structures, Google and Apple continue to permit these high-risk apps on their platforms.”

There are also some more serious national security concerns that have been raised. The nature of these apps on devices with obscure geographical locations and ownership is a major issue when it comes to those handling sensitive data or making their locations.

ForbesTikTok Removes ‘Watch For 9 Seconds’ Scam AccountsBy Zak Doffman

“Regardless of if the VPN is free,” Maude says, “paid or linked to a nation state there are always risks involved in trusting a VPN service to truly protect your privacy and much of the demand for these services is driven by fear and a misunderstanding of the security offered by modern web browsing.”

Cequence Security’s Randolph Barr agrees. “There’s no question Apple and Google can and should do more to mitigate the national security and privacy risks posed by VPN apps with undisclosed foreign ownership, particularly those tied to hostile nation-states.” Which raises a question around an added layer of app store security.

“While they have frameworks in place for data protection and transparency,” Barr told me, “enforcement is often inconsistent or delayed, especially when developers obscure their true ownership through complex corporate structures. Conducting deeper vetting requires significant legal, technical, and geopolitical effort, something these platforms have been slow to scale.” This leaves a vacuum others may need to fill.

According to Dilwale, “Chinese law requires collaboration with state intelligence efforts by businesses. This is not optional, but legislation. As a result, all information traveling through these apps could possibly be available for the Chinese government to access.”

As TTP explains, “China has enacted a series of national security laws over the last decade outlining its access to data held by Chinese companies. Chief among these is the country’s National Intelligence Law of 2017, which requires that China-based organizations and individuals cooperate with state intelligence work.”

TTP says that “according to guidance from the U.S. Department of Homeland Security, in practice, this means that Chinese intelligence agencies may demand access to data of U.S. individuals and businesses held by Chinese entities and even compel the creation of backdoors in equipment and software.”

“In age where identity is the new perimeter these free VPN service that may not only process sensitive browsing data through foreign servers,” Maude says, “but can also create large peer-to-peer networks of proxy exit nodes can potentially be misused to both target and surveil identities but also provide a mechanism to exploit them using a vast network of exit nodes close by their target.”

“Worryingly,” Dilwale warns, “the majority of these apps continue to sit in top app stores without complete transparency about their ownership. In some cases, even Apple and Google could also be profiting from them. This is not merely a consumer protection issue. It is a national security issue. Platforms should do more to demand open ownership, stricter vetting for risky applications like VPNs, and reassessing how they make money off of tools that carry this kind of risk.”

ForbesMicrosoft Confirms 2 Free Offers—Windows Users Must Now ChooseBy Zak Doffman

Barr suggests the following mitigating actions, and says if they can’t be handled at app store level, they must be done by organizations needing to control such risks:

• Perform enhanced due diligence on installed apps by leveraging AI to analyze metadata, behavior, and network traffic.
• Enforce ownership transparency checks by using AI to map developer identities and flag hidden ties.
• Monitor data flow and storage behavior on the device, identifying apps that may exfiltrate data.
• Apply real-time app behavior analysis to detect threats post-installation.
• Provide continuous monitoring and re-evaluation of app risk as threat landscapes evolve.

Deepwatch’s Chad Cragle has issued the same warning. “When owned by Chinese companies and hidden behind layers of shell companies, it becomes a serious concern. Apple advocates for protecting our privacy, yet these apps are still accessible. Google?”

Cragle says “they often allow nearly any app on their store. It’s time for the platforms to take responsibility and set the example. You can’t claim to prioritize privacy if you’re letting other parties control the playbook. If they don’t properly scrutinize these apps, they’re not just passively allowing it—they’re helping to create the problem. And let’s be honest, this isn’t just about privacy; it’s about national security, too.”

The biggest takeaway from TTP’s report is clearly blurred lines within the App Store and Play Store. “Even trusted platforms like the Play Store aren’t immune to today’s increasingly complex cybersecurity threats,” Keeper Security’s Steve Barney told me.

“Too often,” Barney warns, “users assume that if an app is available in an official store, it must be safe. While it’s always recommended to download apps from official sources, that alone is not a guarantee that the app is secure.”

As PC Mag says, whether or not VPNs send your data to China, using the wrong one can out you at risk: “Think your VPN has you fully covered? You might be surprised.”

“Many free VPNs come with trade-offs,” PC Mag says, “which can make tasks like streaming or downloading large files frustrating. Others might restrict you to a select few, crowded servers. Worse, free VPN services might inject ads into web pages, log your activity, or sell your browsing history and data to third parties.”

ForbesPorn Ban Warning For Millions Of iPhone And Android UsersBy Zak Doffman

But more critically, “if your goal is security, consistent speeds, and real privacy, a paid VPN service is almost always the safer, more reliable choice.”

The news this weekend that America’s Supreme Court has ruled in favor of state bans on porn access without identity or age checks has thrust VPNs into the headlines yet again. Multiple articles are now advising which VPNs allow “Pornhub workarounds.”

The risk is that the ones users are likely to find topping app store lists are the free offerings, many of which are Chinese and to be found on TTP’s list. Take your time, select a VPN from a trusted source and avoid any cheap and cheerful free apps.

Here is the list of apps from TTP’s report:

Apple App Store:

1. X-VPN – Super VPN & Best Proxy
2. Ostrich VPN – Proxy Master
3. VPN Proxy Master – Super VPN
4. Turbo VPN Private Browser
5. VPNIFY – Unlimited VPN
6. VPN Proxy OvpnSpider
7. WireVPN – Fast VPN & Proxy
8. Now VPN – Best VPN Proxy
9. Speedy Quark VPN – VPN Proxy
10. Best VPN Proxy AppVPN
11. HulaVPN – Best Fast Secure VPN,
12. Wirevpn – Secure & Fast VPN
13. Pearl VPN

Google Play Store:

1. Turbo VPN – Secure VPN Proxy
2. VPN Proxy Master – Safer Vpn
3. X-VPN – Private Browser VPN
4. Speedy Quark VPN – VPN Master
5. Ostrich VPN – Proxy Unlimited
6. Snap VPN: Super Fast VPN Proxy
7. Signal Secure VPN – Robot VPN
8. VPN Proxy OvpnSpider
9. HulaVPN – Fast Secure VPN
10. VPN Proxy AppVPN

The Android app vpnify is also in TTP’s report, but has now relocated outside China and has contacted TTP to update its information and to be removed from the report.

The developers behind the platform told me “VPNIFY is not owned or controlled by any entity in mainland China. We do not log, store, or share user data. VPNIFY has always enforced a strict no-logs policy. We don’t collect or retain any user activity data. There’s simply nothing to hand over to anyone, and we don’t plan to open pandora’s box. Our infrastructure is globally distributed and designed with advanced obfuscation and encryption to help users bypass censorship in high-risk regions.”