Republished on June 28 with new national security warnings over use of these apps.

Tens of millions of Android and iPhone users are being warned they have installed free apps that leave them at serious risk. Those users could now be sending their sensitive data to companies under the control of the Chinese government.

Earlier this week, I reported on the list of iPhone and Android apps issued by the Tech Transparency Project (TTP). These are all VPNs — virtual private networks. Apps which are meant to make users safer and more secure but are doing the very opposite.

“Millions of Americans have downloaded apps that secretly route their internet traffic through Chinese companies,” TTP says. It last reported on this threat in April, and now says “Apple and Google app stores continue to offer private browsing apps that are surreptitiously owned by Chinese companies… six weeks after they were identified.”

ForbesMicrosoft Confirms 2 Free Offers—Windows Users Must Now Choose

A raft of warnings now have followed that report, urging users to delete the apps. “The risks are too great” to keep them on your phone, warns Top10VPNs Simon Migliano. “In light of these findings, I strongly urge users to avoid Chinese-owned VPNs altogether."

For its part, Google says it is "committed to compliance with applicable sanctions and trade compliance laws. When we locate accounts that may violate these laws, our related policies or Terms of Service, we take appropriate action.”

While Apple makes similar assurances, and says it enforces App Store rules but does not differentiate its handling of apps by the location of their developers. It does say where VPNs are concerned that data sharing with third parties is prohibited.

vpnMentor’s Lisa Taylor says this is “no surprise,” that "China usually uses different methods to gain other countries’ citizen’s personal information, most of which are often covered behind a legal front.” And that “free VPNs are perfect cover up to these kind of operations,” often recording user activity even when they say they don’t.

BeyondTrust’s James Maude agrees. “If you aren’t paying for a product, you are the product. These VPN services are a perfect example of the hidden costs of free apps where users seeking more privacy online are potentially unknowingly feeding data to a foreign nation state out of fear their local coffee shop Wi-Fi is spying on them.”

While Black Duck’s Vijay Dilwale calls TTP’s report “a sobering wake-up call that VPNs, which claim to protect privacy, can pose very serious security risks, especially when their true ownership is hidden. These apps have access to all user traffic, and when handled by Chinese-based entities, the implications are well beyond individual privacy.”

TTP reports that all of the VPNs it has identified "are listed as free in the app stores. But during TTP’s May spot check, researchers observed that some of the VPNs offered in-app purchases on top of whatever users get with the 'free’ app.”

This lack of transparency, Taylor told me, “is one of the main reasons why we do not recommend free VPNs and we are concerned that with all the content restrictions throughout the world, people are flocking to free VPNs.”

Migliano says "true internet freedom and privacy depend on transparency and trust. Yet despite being made aware of glaring privacy failures and opaque corporate structures, Google and Apple continue to permit these high-risk apps on their platforms.”

There are also some more serious national security concerns that have been raised. The nature of these apps on devices with obscure geographical locations and ownership is a major issue when it comes to those handling sensitive data or making their locations.

Cequence Security’s Randolph Barr warns “there’s no question Apple and Google can and should do more to mitigate the national security and privacy risks posed by VPN apps with undisclosed foreign ownership, particularly those tied to hostile nation-states.” Which raises a question around an added layer of app store security.

“While they have frameworks in place for data protection and transparency,” Barr told me, “enforcement is often inconsistent or delayed, especially when developers obscure their true ownership through complex corporate structures. Conducting deeper vetting requires significant legal, technical, and geopolitical effort, something these platforms have been slow to scale.” This leaves a vacuum others may need to fill.

Barr suggests the following mitigating actions, and says if they can’t be handled at app store level, they must be done by organizations needing to control such risks:

ForbesSamsung’s Next Android Upgrade—‘Better’ Than Google’s PixelBy Zak Doffman

Deepwatch’s Chad Cragle has issued the same warning. “When owned by Chinese companies and hidden behind layers of shell companies, it becomes a serious concern. Apple advocates for protecting our privacy, yet these apps are still accessible. Google?”

Cragle says “they often allow nearly any app on their store. It’s time for the platforms to take responsibility and set the example. You can’t claim to prioritize privacy if you're letting other parties control the playbook. If they don't properly scrutinize these apps, they’re not just passively allowing it—they’re helping to create the problem. And let's be honest, this isn't just about privacy; it’s about national security, too.”

---

Here is the list of apps from TTP’s report:

Apple App Store:

Google Play Store:

1. Snap VPN: Super Fast VPN Proxy
2. Signal Secure VPN - Robot VPN
3. VPN Proxy OvpnSpider
4. HulaVPN - Fast Secure VPN
5. VPN Proxy AppVPN

The Android app vpnify is also in TTP’s report, but has now relocated outside China and has contacted TTP to update its information and to be removed from the report.