The short version

Are VPN apps safe? New research says: often not. Researchers at the University of Michigan tested 281 popular Android VPN apps and found most fall short of what they promise. 29 leaked DNS or browser traffic outright. 76 sent device identifiers to third parties — enabling the exact tracking a VPN is meant to prevent. And of the apps whose configurations could be inspected, 107 out of 108 misused or ignored recommended encryption standards. The takeaway isn’t “avoid free VPNs.” It’s that the app you install matters less than the provider you trust — and one audited VPN running on your router beats a pile of unvetted apps.

There’s an uncomfortable premise underneath every VPN: to protect your traffic, you have to hand all of it over. You’re not eliminating the party that can see what you do online — you’re choosing them. New peer-reviewed research suggests a lot of people have been choosing badly, and not just among the obviously sketchy apps.

Key takeaways

  • University of Michigan researchers built an auditing tool called MVPNalyzer and tested 281 popular Android VPN apps. The work was presented at the NDSS 2026 security symposium.
  • 29 apps leaked DNS and browser traffic — defeating the core purpose of a VPN.
  • 61 apps transmitted data, including config files and geolocation, unencrypted or outside the VPN tunnel.
  • 76 apps sent device identifiers such as the Advertising ID to third parties, enabling persistent fingerprinting.
  • Of 108 apps with inspectable configs, 107 misused or ignored recommended VPN encryption standards. Over 60% failed basic security hardening.
  • The fix isn’t a better app — it’s fewer trust decisions: one audited VPN at the router, covering every device.

What did the University of Michigan VPN study find?

A team at University of Michigan Engineering, led by associate professor Roya Ensafi, built an automated testing framework called MVPNalyzer to inspect what Android VPN apps actually do — not what their marketing claims. They ran 281 popular apps through it and presented the results at the Network and Distributed System Security (NDSS) Symposium in 2026.

Most prior VPN testing had focused on desktop apps and one-off case studies, leaving the mobile ecosystem largely unexamined. This was the first look at scale — and the failures weren’t edge cases. They were the norm.

Finding Scale Why it matters
Leaked DNS & browser traffic 29 apps Your ISP or a snoop can still see the sites you visit. The VPN is doing nothing.
Data sent outside the tunnel 61 apps Config files and geolocation exposed to surveillance, attacks and hijacking.
Device IDs sent to third parties 76 apps Enables persistent tracking and fingerprinting — the opposite of anonymity.
Misused encryption standards 107 of 108 Weak or outdated settings, missing authentication — protection in name only.
Failed basic security hardening Over 60% The app itself becomes an attack surface on your phone.

Source: MVPNalyzer, University of Michigan Engineering, presented at NDSS 2026. Testing covered 281 popular Android VPN apps.

The worst finding: VPN apps that helped track you

Of everything in the study, one result stands out: 76 apps sent device-specific identifiers — including the Advertising ID — to third parties.

Sit with that for a second. You install a VPN specifically to stop advertisers from building a profile of you. Meanwhile, the app is handing those advertisers a stable ID that follows you across sessions, regardless of what your IP address says. It doesn’t matter that your traffic looks like it’s coming from Amsterdam if the app itself is telling the ad network exactly which device you are. That’s not a bug in the privacy promise — it’s an inversion of it.

What is a DNS leak?

Every time you visit a site, your device asks a DNS server to look up its address. If a VPN is working correctly, that lookup travels through the encrypted tunnel. When it leaks, the request goes out in the open instead — so your ISP (or anyone watching) sees a list of every site you visited, even though your VPN says “connected.” It’s the single most common way a VPN silently fails.

A leaky VPN app vs. a router-level VPN A leaky VPN app lets DNS requests and device identifiers escape outside the encrypted tunnel, while a router-level VPN routes every device through one audited provider with no app to leak. What the study found — and what fixes it

LEAKY VPN APP Your phone “Encrypted” tunnel DNS leaks · data outside the tunnel Advertising ID sent to third parties

ROUTER-LEVEL VPN Every device VPN Router One audited provider No app to leak. One trust decision.

The failure mode is the app. Move the VPN to the router and it disappears.

Are VPN apps safe if I pay for one?

No — and that’s what makes this study different. We’ve written before about the dangers of free VPNs, where hidden ownership and outright data harvesting are the concern. This research points at something broader: the mobile VPN app category has systemic quality problems. The researchers tested popular apps generally, and found that failures like misconfigured encryption and traffic leaking outside the tunnel were widespread rather than confined to a disreputable fringe.

As Ensafi put it, the motivation was seeing how many people rely on VPNs for privacy while the apps fail to uphold even basic protections. The point of publishing the tool is to let users, regulators and researchers see what’s actually happening under the hood — and to pressure the industry to do better.

The honest conclusion for a consumer: you cannot audit a VPN app by looking at its app-store listing. Star ratings, download counts, and privacy-policy language told you nothing about which apps in this study leaked. What actually predicts safety is whether a provider has submitted to independent, published audits — and whether you’ve minimized how many of them you have to trust.

How do you protect yourself?

Reduce the number of trust decisions you’re making. Every VPN app on every device is another company you’re betting on. Running a single, reputable, independently audited VPN at the router collapses that down to one — and that one connection then covers everything on your network, including the devices that can’t run a VPN app at all: smart TVs, streaming sticks, and game consoles.

  • Choose a provider with a published independent audit and a clear no-logs policy — not just a marketing claim.
  • Prefer modern protocols like WireGuard and OpenVPN over unknown proprietary ones.
  • Test for DNS leaks after connecting — a VPN that says “connected” isn’t proof it’s working.
  • Move protection to the router so it doesn’t depend on a per-device app behaving honestly.

Start with a provider worth trusting

VPN providers we’ve actually tested on routers

The study’s real lesson is that you can’t judge a VPN from its app-store page. We’ve spent 15+ years configuring and testing VPN services at the router level — NordVPN, ExpressVPN, Surfshark, Proton VPN, CyberGhost, IPVanish, Private Internet Access and more. Each provider page covers protocol support, setup path, and which routers pair well with it.

Browse tested VPN providers →

Once you’ve picked a provider, the hardware is the easy part. FlashRouters ships pre-configured, pre-flashed routers — ASUS models running AsusWRT by default, with AsusWRT-Merlin available on request, plus native OpenWrt options from GL.iNet — so your VPN runs at the network level from the moment you plug it in. Want the simplest path instead? Privacy Hero 2 handles the whole thing through a guided, browser-based setup, covers every device, and is VPN-optional with streaming relocation built in. Take the 60-second router quiz if you’re not sure which fits.

Frequently asked questions

What did the University of Michigan VPN study find?

Researchers tested 281 popular Android VPN apps using a tool called MVPNalyzer and found widespread failures: 29 apps leaked DNS and browser traffic, 61 sent data outside the VPN tunnel, 76 sent device identifiers to third parties, and 107 of 108 inspectable apps misused recommended encryption standards. The work was presented at NDSS 2026.

What is a DNS leak, and why does it matter?

A DNS leak happens when your device’s website lookups travel outside the encrypted VPN tunnel. Your ISP or anyone monitoring the connection can then see every site you visit, even though your VPN app shows as connected. It is the most common way a VPN silently fails to protect you.

Do VPN apps track you?

Some do. The study found 76 of 281 Android VPN apps sent device-specific identifiers, including the Advertising ID, to third parties. That enables persistent tracking and fingerprinting, undermining the anonymity those apps advertise.

Are paid VPNs affected too, or only free ones?

The study examined popular Android VPN apps broadly and found the problems were widespread across the category, not limited to a disreputable fringe. Price is not a reliable indicator of safety. Independent third-party audits and a verifiable no-logs policy are far better signals.

Is a VPN router safer than a VPN app?

A router-level VPN removes the per-device app as a point of failure and protects everything on your network through one provider you have chosen and vetted, including smart TVs and consoles that cannot run VPN apps. You still need to pick a trustworthy provider, but you only have to make that decision once.

Stop guessing which VPN to trust

See the VPN providers we’ve tested at the router level — with setup paths, protocol support, and matching hardware.

Browse tested VPN providers →

Want the simplest setup? See Privacy Hero 2  ·  Not sure? Take the router quiz

100,000+ Routers Shipped  ·  15+ Years of VPN Expertise  ·  Official NordVPN Partner  ·  US-Based Experts