Popular free VPNs and Ad-Blocking software found harvesting user data

Woman in blue shirt using smartphone

You have probably never heard of Sensor Tower. They are the owners of at least 20 different iOS and Android apps that can be downloaded for free onto your devices.

These apps aren’t all listed as being owned by Sensor Tower but an investigation by Buzzfeed News has revealed the connection and also something all the apps have in common; they have been harvesting user data.

How Sensor Tower steals your data

Of the 20 or more apps that Sensor Tower have owned over the past five years, the four that Buzzfeed have focused on are Free and Unlimited VPN, Luna VPN, Mobile Data, and Adblock Focus. The first two are free VPN apps while the others are either adblock or data management tools.

The majority of Sensor Tower’s other apps are, by their own admission either now defunct or being ‘sunsetted’. What Sensor Tower isn’t quite so open about is that the reason most are defunct is that they have been removed from various apps store owing to policy violations.

Until recently, all four of their current were available in the Google Play store and both Adblock Focus and Luna VPN could be found in Apple’s App Store too.

If you installed one of these apps, you would then have been prompted to install a root certificate. A root certificate is a small file that lets its issuer access all traffic and data passing through your device.

This level of access is a huge security risk. Neither Apple nor Google allows apps to gain root certificate privileges for precisely this reason.

Sensor Tower apps get around this by tempted users to download the certificate from an external website. And they do this in a very disingenuous way.

Luna VPN will show users a notification that asks if they would like to block adverts on YouTube and then suggests they download an AdBlock extension.

The danger of using Sensor Tower’s apps

As Armando Orozco, an Android analyst for Malwarebytes, told Buzzfeed News, “Your typical user is going to go through this and think, Oh, I‘m blocking ads, and not really be aware of how invasive this could be.”

But it is hugely invasive.

There is evidence that Sensor Tower’s apps hoover up user data which is then used to power the company’s app intelligence platform.

This is a product Sensor Tower sells to developers, venture capitalists, publishers, and others. It allows them to monitor the popularity, usage trends, and revenue streams driven by apps.

It is fairly safe to assume that it does this by monitoring how users of their free apps are using other apps on their phone and then feeding this data into their system.

Sensor Tower, of course, denies that their apps pose this type of security risk. Randy Nelson, the company’s head of mobile insights, told Buzzfeed, “Our apps do not track, request, or store any sensitive user data such as passwords, usernames, etc., from users or other apps on a user’s device, including web browsers.”

It is noticeable that he does not deny that they hoover up user data or app analytics. Given Sensor Tower’s track record, it is also understandable that many people find it hard to take Nelson at his word on other private data. The root certificates they use would certainly give Sensor Tower the power to access this information if they so wished.

Free VPNs are not worth the risk

It is a lesson we have repeated again and again on this site, but the Sensor Tower revelations only serve to reemphasise once again that free VPNs are just not worth the risk.

It costs money to set up and run a VPN, even a free VPN with limited functionality like the ones run by Sensor Tower.

These companies have other costs too and these have to be covered somehow. If the VPN or other software is being given out for free, they must be making money a different way.

The easiest and most obvious way to cash in on a VPN is by exploiting the data of its users. This is valuable for advertisers or offers an ideal data source for an analytics platform like the one Sensor Tower offers.

Either way, free VPNs are more than likely to be recording and collecting data from you and then selling this on to third parties. Some VPNs may pose an even greater and more immediate security threat by downloading malware or adware without your knowledge.

If you want to use a VPN that you can trust to be secure, private, and keep no user logs, you need to choose a premium VPN. They do cost a few dollars a month but the level of service they offer is way above that of free VPNs and well worth the outlay.

If you must choose a free VPN, take a glance at our guide to the ones you can trust the most. But if you have downloaded Luna VPN, Free and Unlimited VPN, or any other Sensor Tower apps, the best advice is to remove all trace of them from your device as soon as you can.

Author: David Spencer

Cyber-security & Technology Reporter, David, monitors everything going on in the privacy world. Fighting for a less restricted internet as a member of the VPNCompare team for over 7 years.

Away from writing, he enjoys reading and politics. He is currently learning Mandarin too... slowly.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter

Get the latest privacy news, expert VPN guides & TV unblocking how-to’s sent straight to your inbox.