MVPNalyzer: An Investigative Framework for Auditing the Security & Privacy of Mobile VPNs
Wayne Wang
Network and Distributed System Security (NDSS) Symposium 2026 · Day 1 · Apps & Cloud Security
VPN providers promise absolute security and privacy with the click of a button, but a large-scale audit of **281 free mobile VPN apps** from the Google Play Store reveals that this promise is overwhelmingly broken. Using **MVPNalyzer**, a semi-automated dynamic analysis framework, researchers from the University of Michigan and the University of New Mexico found that **247 of 281 apps (88%)** exhibited at least one security or privacy deficiency, and **144 (51%)** exhibited more than one. These are not obscure apps -- collectively they represent over **2.4 billion installs**.
AI review
A thorough large-scale audit of 281 mobile VPN apps revealing that 88% have security or privacy deficiencies, including five apps that fetch OpenVPN configs over plaintext HTTP enabling a demonstrated traffic redirection attack. The framework is well-engineered and the findings are impactful at 2.4 billion installs, but the vulnerability classes themselves -- cleartext communications, DNS leaks, tracking, misconfigurations -- are well-known categories rather than novel attack techniques.