Apple & Google profit as Chinese VPNs collect your private data
Weeks after researchers raised red flags, the U.S. App Store still features VPNs that hide their Chinese ownership and could be routing user data straight into Beijing's hands.
Chinese VPNs are still rampant in the App Store
More than six weeks after researchers raised the alarm, Apple and Google are still letting VPN apps with ties to Chinese companies remain in their U.S. app stores. Most of these apps don't disclose who owns them.
Some are linked to a Chinese cybersecurity firm under U.S. sanctions. And both tech giants are still taking a cut of the profits.
That's the big takeaway from a new spot check by the Tech Transparency Project (TTP), which followed up on its earlier report from April. Despite some removals, dozens of questionable VPNs are still quietly collecting user data and subscription revenue.
All while promising privacy.
At first glance, these apps look harmless. They're marketed as free tools to help you stay anonymous online.
Dig a little deeper and the picture shifts.
TTP found that many of these apps are actually owned by Chinese firms. One of them is Qihoo 360, a cybersecurity company sanctioned by the U.S. government for its ties to the People's Liberation Army.
Apps like Turbo VPN and VPN Proxy Master are still available on the Apple App Store. Both have links to Qihoo 360. So do several others on the Google Play Store.
In total, TTP identified 13 Chinese-linked VPNs still active on Apple's platform and 11 on Google's.
An example of one of the China-linked VPNs
None of these apps disclose that they're owned by Chinese companies. Some route their corporate structures through Singapore, or use developer names like "Free Connected" or "Innovative Connecting" to avoid scrutiny.
These names often trace back to the same networks. And in China, companies don't have the luxury of saying no when the government asks for user data.
That's the real issue here -- VPNs see everything you do online. If you're using one with undisclosed ties to a foreign government, especially one with sweeping surveillance laws, that's a security risk.
Apple and Google are profiting from them
These apps are popular and making money. Apple and Google are both taking their standard cut.
Apps like X-VPN have earned more than $10 million from U.S. users alone. Turbo VPN and VPN Proxy Master are each estimated to have pulled in over $5 million.
Apple collects up to 30% of in-app revenue. Google takes a similar share, particularly from subscriptions and ads.
That means both companies are financially benefiting from apps that may be exposing users to foreign surveillance. If that sounds like a contradiction to Apple's privacy marketing, or Google's commitments to user safety, that's because it is.
Apple claims that VPN apps in its store aren't allowed to sell or share user data. But enforcement is a black box. Google requires transparency about data practices, but doesn't appear to have any policy specific to VPNs.
Don't assume the App Store is watching out for you
If you're downloading a VPN app, you're doing it because you want privacy. But right now, there's a good chance the app store is offering you something that does the opposite.
VPNs aren't technically banned in China, but they're tightly controlled. The government only allows approved providers that agree to censorship rules, and most foreign VPNs are blocked.
If you try to use one to get around the Great Firewall, you're breaking the law. China has cracked down on VPN developers and pressured companies like Apple to pull hundreds of apps from the local App Store.
It's all part of a larger push to keep a tight grip on what people see and do online. And when Chinese companies list their VPNs in other app markets, such as the United States, that means U.S. citizens aren't safe either.
An example of one of the China-linked VPNs
Some apps try to distance themselves from their Chinese ties. Autumn Breeze Pte. Ltd., for example, says it operates independently from Qihoo 360. TTP found links to a former Qihoo executive still listed as a director.
And once data leaves your device, it's hard to know where it goes -- or who can access it.
People deserve to know who's behind the software they use to shield their most sensitive information. That's especially true when those tools are marketed as secure, private, and anonymous.
Right now, the app stores aren't doing enough. If Apple and Google are serious about privacy, they need to apply the same standards to their own storefronts that they enforce on smaller developers.
Apple's response
Following our publication of this story, Apple repeated previous guidance that they have given.
They told us that the App Store allows developers from any country to distribute apps as long as they follow App Review Guidelines and local laws. It doesn't restrict apps based on the nationality of the developer or where the company is based.
The company said VPN apps are subject to stricter rules. Only registered organizations can publish them, and developers must clearly disclose what data is collected and how it will be used before users engage with the app.
These apps aren't allowed to use or share data for any purpose and must state that in their privacy policy. Apple said it enforces these policies and removes apps that don't comply.
Read on AppleInsider
Comments
And I've said it before and I'll say it again, if I were the US government and wanted to track sketchy people, I'd back a "private" VPN service that looks to be above broad...
I would never do that. The Apple AppStore is watching out for Apple and Apple alone. To make sure that it generates fees/profit/subscriptions, stays legal with local jurisdiction and most importantly avoiding taxes like tRump avoids the truth.
Is the author of the article suggesting that Apple and Google should discriminate against any/all app developers based on their country of origin, or are they suggesting that Apple and Google should do a deep dive background check of every single app developer that submits to their App Store, or are they suggesting that anytime some "random" researcher (or reporter) reports to them, without any real proof, that some app "might" be violating developers guidelines they immediately pull the app and sanction the developer?
Not sure how far anyone should trust a VPN service. From a well-known company who has ethical principles, probably can trust them. At least up until a change in management.