A Free Product Funded By Something Else
Researchers ran 281 of the most-installed free VPN apps on the Google Play Store through a testing pipeline built to check the one function a VPN is bought for: keeping traffic private and encrypted. A meaningful share of the sample failed at that basic function — the original report, as covered by The Hacker News, does not disclose the exact count or breakdown by flaw type. Traffic leaks, unencrypted data in transit, and embedded tracking code turned up across multiple apps in the set. Free VPN apps monetizing through tracking at the expense of privacy is a well-documented pattern in security research going back a decade, but the scale of the install base involved gives the latest data point weight.
Unaccountable Surface Area at Scale
The VPN finding illustrates a broader pattern that extends beyond mobile: when free software layers sit between users and their data, the maintenance economics of that layer determine its real security posture. A free VPN app monetized through embedded trackers has an explicit conflict of interest with its stated function. Web infrastructure carries a different version of the same structural pressure — not monetization-driven privacy trade-offs, but unreviewed surface area that compounds when free extensions ship without an accountable maintenance model.
WebPulse's own framework data shows that the platforms with the largest third-party plugin ecosystems also carry the largest cumulative vulnerability counts. WordPress's ecosystem-wide CVE total stands at 18,005, the majority attributable to plugins rather than core. That accumulation is driven by code volume, age, and the sheer number of independent maintainers operating on different schedules — a different mechanism than VPN tracker injection, but producing the same outcome: risk that scales with the size of the unaudited layer.
Who Actually Signs Off On the Bill
For a budget-signer, the useful takeaway from a 281-app study isn't a shortlist of apps to uninstall — it's the pattern sitting underneath it. Any free layer positioned between a user and their data, whether a mobile proxy client or a website's plugin stack, invites the same procurement question, asked before adoption rather than after a headline: who is paid to maintain this component, and what does that maintenance economics actually incentivize them to prioritize?
A test of 281 apps on one platform, at one point in time, is one dataset — it does not establish that free software is categorically riskier than paid software, and it shouldn't be read that way. What it does establish is that popularity and price are not security signals on their own. Measurement has to happen at the level of what a product actually does with the data passing through it.


