Earlier this year, the Tech Transparency Project published a report stating that more than 20 out of the top 100 free VPNs on US app stores showed evidence of Chinese ownership. None of them clearly disclosed their ties to China.
After TTP published its report, Apple removed some of the allegedly Chinese-owned apps from the App Store, but others remained. Many of the same apps also host Android versions on the Google Play Store.
To further investigate the remaining VPN apps’ ties to China and Russia, Comparitech researchers decompiled the app APKs and checked for network fingerprints.
Although these ties don’t strictly indicate Chinese or Russian ownership, they do raise red flags that should make end users think twice about their privacy when using the apps.
In total, we analyzed 24 VPN apps: 13 on Android and 11 on iOS. They include X-VPN, Ostrich VPN, Pearl VPN, WireVPN, HulaVPN, AppVPN, NowVPN, OVPNSpider, QuarkVPN, VPNify, Signal Secure VPN, Turbo VPN, VPN Proxy Master, VPN Free, Fast VPN Super, and Proxy Master. (Note: the Apple App Store lists two separate VPN apps both titled “WireVPN”.)
- Six of the VPN apps communicate with Chinese domains owned by Baidu, Com.cn, and/or Libvideo: Signal Secure VPN (Android), Turbo VPN (Android), VPN Proxy Master (Android), Snap VPN (Android), Now VPN (iOS), and Ostrich VPN (iOS).
- Eight of the Android apps communicate with Russian IPs owned by Yandex, Rustore, MyTarget, Appmetrica, Alibaba, and/or Mail.ru. They include QuarkVPN, VPNify, Signal Secure VPN, Turbo VPN, VPN Proxy Master, and Snap VPN, VPN Free, and Proxy Master.
- All of the iOS apps communicate with Apple.com domains hosted in Russia, but only two communicate with third-party Russian domains.
Some apps (Turbo VPN, VPN Proxy Master) include Chinese or Russian SDKs. Static analysis flagged embedded third-party SDKs, like Baidu Analytics and Location SDKs, based on known package signatures or API calls in the codebase. These are clear indicators that the SDK was intentionally bundled into the app.
Apple doesn’t list any of the VPN apps that, on their Android versions, communicate with third-party Russian domains. Based on this, Apple appears to be more strict about removing Russia-linked VPNs than China-linked ones. However, two iOS VPN apps both made by developer TOPAPPS TECH communicate with a Russian domain hosted by Mail.ru.
What do our findings mean?
When an app communicates with an IP or domain hosted in Mainland China or registered through a Chinese cloud provider (e.g. Baidu, Alibaba Cloud, Tencent Cloud), it doesn’t mean the app is Chinese-owned, but it may be an indicator of potential ties, especially when combined with other signals like the use of Chinese SDKs, publisher metadata, or similar behavior seen across known Chinese developed apps. The same goes for Russia.
Here’s what these network indicators might suggest:
- Backend Infrastructure Hosted in China/Russia: The app may route data or logs through servers located in China/Russia, potentially subjecting that data to Chinese laws on interception and retention.
- Use of Chinese/Russian CDNs or analytics services: For performance or cost, some developers (even outside China) use Chinese hosted services. But this is relatively uncommon for Western VPN developers due to privacy issues.
- Control by a China/Russia-based entity: When combined with embedded SDKs, certificate fingerprints, or publishing org info, it may confirm deeper control or development origin.
- Some of these IPs might be endpoints for VPN servers, but in this analysis, the domains/IPs more commonly relate to telemetry, analytics, or SDK communications — not VPN tunnels.
Again, these network indicators don’t definitively prove where a VPN is from. Conversely, the absence of these network indicators doesn’t negate the possibility that an app has ties to China or Russia.
We did not include apps that pinged Hong Kong IPs — only mainland China.
Many of the apps reach out to Baidu-hosted endpoints. These reflect runtime behavior or known hardcoded endpoints, often extracted from traffic monitoring, manifest entries, or static domain listings.
These domains and trackers are often linked to aggressive telemetry, undisclosed data flows, and ecosystem-level dependency on Chinese and/or Russian infrastructure. Western developers have little desire or need to use them.
Responses from app stores and developers
Comparitech contacted Google, Apple, and each of the app developers for comment. Only Google and the developer of TurboVPN, Innovative Connecting, responded to our request.
“INNOVATIVE CONNECTING PTE. LIMITED is an independently operated company, legally registered in Singapore. We operate under the jurisdiction of Singapore and comply with Singaporean laws,” Turbo VPN’s team told Comparitech. “Protecting user privacy is our highest priority. We strictly comply with our privacy policy and fully adhere to the developer policies and content guidelines of both Google Play and the Apple App Store. We do not record, monitor, or retain any user online activity at any time. We are open to any form of supervision or inquiry. We welcome independent verification of our product. Our engineering team is prepared to provide further technical documentation in a secure environment upon request.”
According to Google, the Play Store complies with applicable sanctions and trade compliance laws. When it finds accounts that violates those laws, it takes action. Deceptive and malicious apps are prohibited, its official policy states.
Why are Chinese and Russian VPNs a problem?
China and Russia both force domestically-owned VPNs to register with the government and adhere to local laws, which may impact user privacy.
The Russian government, through its media regulator Roskomnadzor, demands VPN providers connect their servers to a state-controlled system designed to enforce internet censorship. China imposes similar restrictions and requires VPNs register with the government.
For this reason, no Chinese or Russian VPN can offer a trustworthy “no-logs” service, which is the only type of VPN we recommend at Comparitech. Authorities in Russia or China could coerce their domestic VPNs to spy on user data and activity, censor the web, or even spread malware.
Comparitech favors VPNs that are based in countries without mandatory data retention laws and regulations, and we only recommend VPNs that don’t log user activity, IP addresses, and other identifying metadata.
How to find out where your VPN is from
Where a VPN is from is not always as clear cut as one might expect, and not everyone has access to app analysis tools. Here are a few ways to check where your VPN is from:
- Check the app publisher. On iOS, scroll to the bottom of the App Store page. On Android, check the “Offered by” field on the app’s Play Store page.
- Check the VPN’s website. Most VPNs will mention what country they’re incorporated in at the bottom of their website or in their terms of service.
- Run a WHOIS lookup. Enter the VPN’s website URL into any of the many WHOIS search engines to find the website registrant’s country and organization.
- Check government businesses databases. In the US, the Small Business Administration, Securities and Exchange Commission, and several states have business entity search engines available. Other countries have similar searchable databases.
- Check transparency reports. Many VPNs publish audits, no-logs policies, warrant canaries, and other transparency reports that can indicate what country’s jurisdiction they fall under.
- Support staff usually work remotely and are not a reliable indicator of where a VPN is based.
- Where is the CEO from? A VPN’s country of incorporation doesn’t practically matter if the CEO and other executives live in countries where authorities could force them to act against the best interests of users.
- If a VPN isn’t transparent about where it’s from, in our opinion it’s best to assume the worst and refrain from using it.
Note that a VPN’s country of incorporation is only part of the equation. Many VPNs set up shell companies in countries with lax data retention laws so that they can abide by their no-logs policies. But they might not have any staff or infrastructure in that country. Staff members might work from a different country or be spread out remotely between many countries. Furthermore, VPNs must host servers that are hosted by a data center, cloud service provider, or both. That further muddies the waters when determining what jurisdiction applies.
