App Stores OK’ed VPNs Run by China PLA
Chinese firm banned by the U.S. is the shady entity behind a clutch of free VPN apps—with over a million downloads.
Apple and Google are under fire for failing to vet the ownership of at least 20 VPN apps. Researchers have fingered Qihoo 360 as the entity behind at least five of them—the company is banned from the U.S. for its links to the Chinese military. The other 15 are also China owned, but keep it a secret behind shell companies.
Apple is getting the worst of the criticism, thanks to its infamous privacy promise. In today’s SB Blogwatch, we don’t think it’s worth the paper it’s printed on.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Doctor Who ’rolls.
Bad Apple
What’s the craic? Michael Acton and Ryan McMorrow report: Apple and Google app stores host VPNs linked to sanctions-hit Chinese group
“Chinese owners”
At least five free virtual private networks (VPNs) available through the US tech groups’ app stores have links to Shanghai-listed Qihoo 360. … Formally known as 360 Security Technology, [it] was hit with sanctions by the US in 2020 for alleged Chinese military links. The US Department of Defense later added Qihoo to a list of Chinese military-affiliated companies.
…
According to a new report by research group Tech Transparency Project, … 20 of the 100 most downloaded VPN apps on Apple’s App Store have [secret] Chinese owners: … “Millions of Americans are inadvertently sending their internet traffic to Chinese companies.” … Apple and Google have policies prohibiting VPN apps from using or collecting user data without their consent.
Why is it so important? Call Chiara Castro: Millions of free VPN users have inadvertently sent their data to China
“Downloaded more than 1 million times”
While the best VPN services boost your online anonymity and security by encrypting your internet traffic and spoofing your IP address, malicious apps pose great risks to your privacy. That’s because providers can potentially read the internet traffic rerouted via their servers.
…
Turbo VPN, VPN Proxy Master, Thunder VPN, Snap VPN, and Signal Secure VPN are the five services linked to Qihoo 360. … It’s estimated that three of these apps alone were downloaded more than 1 million times from the Apple App Store and Google Play Store combined in the past three months. Turbo VPN even obtained Google’s verified badge, a label that helps users easily identify secure and trustworthy services.
Horse’s mouth? Katie Paul and friends: Apple Offers Apps With Ties to Chinese Military
“Apple is not taking adequate steps”
Millions of Americans have downloaded apps that secretly route their internet traffic through Chinese companies, according to [our] investigation, … including several that were recently owned by a sanctioned firm with links to China’s military. … Kids often download free VPNs to play games or access social media during school hours.
…
One Chinese VPN has been advertised on Facebook and Instagram to teens as young as 13, and some have targeted ads at Americans looking to keep using TikTok, another Chinese app threatened with a U.S. ban. … However, lawmakers have not given sustained attention to this wider category of VPN apps that could [be] putting the privacy of American users—and U.S national security—at risk.
…
The findings raise questions about Apple’s carefully cultivated reputation for protecting user privacy. [Our] investigation suggests that Apple is not taking adequate steps to determine who owns the apps it offers its users and what they do with the data they collect.
Ouch. Is that entirely fair? Blurft thinks it is:
Apple [is] promoting the App Store as a “safe and trusted place.” They say that “a big part of those experiences is ensuring that the apps we offer are held to the highest standards for privacy, security, and content.” They say that there is “Security for every app. At every level.” and that they ensure apps come from “known sources.”
…
Apple simply cannot live up to the standards they are advertising. This marketing creates a false sense of security for users who believe that every app on the App Store is confirmed safe, and that they don’t need to worry about things like this. That is dangerous.
…
How many more examples do we need? … Apple needs to be more transparent about how often things slip through the review process — 35,245 apps were removed for “fraud” in 2023 alone — so that users understand that they still need to exercise careful judgment … before using any given app. Making users aware of the shortcomings of Apple’s review process will be better for user safety, security and privacy than the current approach of leading users to believe that everything is reviewed and confirmed perfectly safe.
Is that enough? farago wants Apple to go even further:
Apple needs to get out of China and show some moral leadership. … The CCP is a heinous regime with whom we should not be engaging. … That this comes as a surprise is just pathetic. Of course the Chinese military is going to do everything it can to spy on the West:
— Chinese hackers stole trillions in intellectual property theft
— Zoom is deeply in bed with the Chinese military
— China’s human rights record is right up there with Hitler’s
But is the Chinese government known to spy on VPNs? pipatron alleges an allegation:
Always been suspicious about VPNs that work. Last time I was in China it struck me that my secure VPN solutions—using my own tunnels and pre-installed keys etc.—never worked well. They are throttled to death after a very quick time.
…
Meanwhile, the VPN solutions my Chinese colleagues use seem to work very well, and it’s an open secret. Everyone uses them. This makes me pretty certain that every VPN solution that works within China works simply because there is a known backdoor.
Where does Apple’s motivation lie? richebourg knows:
Goes to show that Apple saying they vet apps in its store is hogwash. They only care about the 30% fee they take.
Speaking of money, here’s BCGeiger:
If you aren’t paying for a service, you are the product. These were free VPNs. So this isn’t a surprise at all.
Meanwhile, DAalseth sums it all up for us:
They have to pay for the servers and bandwidth somehow. If you aren’t paying for it, then they are selling your data to someone to pay for it.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Alejandro Luengo (via Unsplash; leveled and cropped)
