Millions of Android, iPhone Users Could Be Sending Data to China

According to the Tech Transparency Project (TTP), Apple and Google app stores are offering private browsing apps owned by Chinese companies. TTP identified these apps more than six weeks ago in a report, but it appears that no action has been taken in response. 

TTP suggests that Apple and Google may be profiting off of these apps, risking Americans’ privacy and national security. 

The apps in question are virtual private networks (VPNs). Chinese-owned VPNs could be a privacy and security concern for American citizens, as Chinese companies could be obligated to share sensitive data with the Chinese government. 

The report found that out of the top 100 free VPNs in the United States Apple App Store in 2024, 20 of them showed signs of Chinese ownership.

Below, security leaders share their thoughts on this report. 

Security Leaders Weigh In

James Maude, Field CTO at BeyondTrust:

These threats are not entirely new. Free mobile apps have a history of embedding code that connects the user’s device to a proxy network to generate revenue by selling off a small amount of the user bandwidth. This allows a developer to generate revenue in the app without charging the user or relying on ad revenue. The flip side to this is what these device proxies are then used for as they provide a network of residential IP exit nodes that can be used in web scraping, credential stuffing and identity theft by criminal organizations. They effectively provide a route for a threat actor with access to compromised credentials to evade geolocation blocks (only allow logins from U.S.) by allowing them to login from a residential IP perhaps in the same city and using the same ISP as the victim.

In age where identity is the new perimeter, these free VPN services may not only process sensitive browsing data through foreign servers, they can also create large peer-to-peer networks of proxy exit nodes which can potentially be misused to both target and surveil identities. They can also provide a mechanism to exploit them using a vast network of exit nodes near their target.

Example of my previous 2019 research on the true cost of free VPNs. 

Randolph Barr, Chief Information Security Officer at Cequence Security:

If Apple and Google are unwilling or unable to enhance their oversight, it’s likely this will accelerate demand for more advanced, enterprise-controlled security solutions, particularly in environments where sensitive data is accessed through mobile devices. Mobile Device Management (MDM) and Bring Your Own Device (BYOD) programs will increasingly need to integrate AI-driven app vetting and behavioral analysis into their security stack.

While MDM and BYOD controls are not a silver bullet, incorporating AI into these solutions can strengthen a layered security approach, raising the bar for attackers and reducing organizational risk, even when app stores fall short. For CISOs, this situation underscores a broader reality: security leaders must build resilience while enabling innovation. They need to communicate the value of controls like AI-enhanced MDM not just as risk mitigation, but as enablers of secure digital agility. If Apple and Google won’t prioritize user protection through better enforcement, enterprises will have to fill that gap themselves with smarter, adaptive tools that protect both data and business continuity.

Mr. Vijay Dilwale, Principal Security Consultant at Black Duck:

Chinese law requires collaboration with state intelligence efforts by businesses. This is not optional, but legislation. As a result, all information traveling through these apps could possibly be available for the Chinese government to access.

Worryingly is that the majority of these apps continue to sit in top app stores without complete transparency about their ownership. In some cases, even Apple and Google could also be profiting from them. This is not merely a consumer protection issue. It is a national security issue. Platforms should do more to demand open ownership, stricter vetting for risky applications like VPNs, and reassessing how they make money off of tools that carry this kind of risk.

Chad Cragle, Chief Information Security Officer at Deepwatch:

It’s time for the platforms to take responsibility and set the example. You can’t claim to prioritize privacy if you're letting other parties control the playbook. If they don't properly scrutinize these apps, they’re not just passively allowing it—they’re helping to create the problem. And let's be honest, this isn't just about privacy; it’s about national security, too.