Summary is AI-generated, newsdesk-reviewed
  • Zimperium's research exposes critical vulnerabilities in 800+ mobile VPNs, risking enterprise data.
  • 25% of iOS VPN apps violate Apple privacy rules, leaving user data exposed.
  • VPN apps misuse permissions, enabling surveillance and data theft beyond intended functions.
Related Links

Zimperium, the pioneer in mobile security, releases new research from its zLabs team revealing alarming weaknesses in mobile Virtual Private Network (VPN) applications.

While VPNs are marketed as essential privacy tools, Zimperium’s analysis of 800 free Android and iOS apps shows that many actually put users, and the enterprises they work for at greater risk.

Among the findings:

  • 25% of iOS VPN apps lacked a valid privacy manifest, violating Apple requirements and leaving users in the dark on how their data is used.
  • 6% requested private entitlements, powerful system-level permissions that should never be accessible to third-party apps.
  • Multiple VPNs shipped with outdated OpenSSL code still exposed to the notorious Heartbleed vulnerability, a flaw disclosed more than a decade ago.
  • Many apps engaged in permission abuse, requesting access to microphones, system logs, or always-on location tracking without justification.
  • Some apps were capable of UI screen capture, giving providers or attackers a surveillance vector well beyond their stated function.

Sensitive data collection

These apps promise protection but instead create new pathways for surveillance, data theft, and exploitation,” said Ignacio Montamat, VP of Security Research, Zimperium, adding “For enterprises with BYOD programs, an insecure VPN isn’t just a consumer problem, it’s an organisational threat that can undermine corporate security at its core.”

Zimperium’s findings also reveal widespread discrepancies between VPN developers’ data practices and their declared privacy policies, with many apps failing to disclose sensitive data collection or misrepresenting their use of system APIs. This lack of transparency leaves end users and IT teams unable to make informed decisions about which apps are safe to trust.

Protecting sensitive enterprise data

Zimperium recommends that enterprises and security leaders take a hard look at the mobile apps allowed in BYOD environments.

With VPNs often treated as “trusted” by default, this research highlights the need for stronger vetting and ongoing monitoring. Visibility into hidden risks from outdated libraries and weak encryption to misleading privacy policies and excessive permissions is critical to protecting sensitive enterprise data and ensuring trust in mobile defenses.

Discover how AI, biometrics, and analytics are transforming casino security

Related videos

Insta DomainLink Secret™

Insta DomainLink Secret™
Wan 2.2-S2V demo video: Female singer

Wan 2.2-S2V demo video: Female singer
Dahua MultiVision Online Event - Look Wider, Protect Deeper

Dahua MultiVision Online Event - Look Wider, Protect Deeper

In case you missed it

What are emerging applications for physical security in transportation?
What are emerging applications for physical security in transportation?

Transportation systems need robust physical security to protect human life, to ensure economic stability, and to maintain national security. Because transportation involves moving...

Gallagher & Fortified enhance perimeter security solutions
Gallagher & Fortified enhance perimeter security solutions

Global security manufacturer - Gallagher Security is proud to announce a strategic partnership with Fortified Security, a pioneering perimeter systems integrator with over 30 years...

Genetec: Data sovereignty in physical security
Genetec: Data sovereignty in physical security

Genetec Inc., the global pioneer in enterprise physical security software, highlights why data sovereignty has become a central concern for physical security leaders as more survei...

Featured white papers
Aligning physical and cyber defence for total protection

Aligning physical and cyber defence for total protection

Download
Understanding AI-powered video analytics

Understanding AI-powered video analytics

Download
Enhancing physical access control using a self-service model

Enhancing physical access control using a self-service model

Download
How to implement a physical security strategy with privacy in mind

How to implement a physical security strategy with privacy in mind

Download
Security and surveillance technologies for the casino market

Security and surveillance technologies for the casino market

Download
More corporate news
Permiso expands AI identity security platform

Permiso expands AI identity security platform
Blaize pioneers real-world AI in smart infrastructure

Blaize pioneers real-world AI in smart infrastructure
AI-powered video innovations by Axis Communications

AI-powered video innovations by Axis Communications
Featured products
Dahua Smart Dual Illumination Active Deterrence Network PTZ Camera

Dahua Smart Dual Illumination Active Deterrence Network PTZ Camera
Hikvision DS-K6B630TX: Smart Pro Swing Barrier for Modern Access Control

Hikvision DS-K6B630TX: Smart Pro Swing Barrier for Modern Access Control
Climax Mobile Lite: Advanced Personal Emergency Response System (PERS)

Climax Mobile Lite: Advanced Personal Emergency Response System (PERS)