Why not take the additional step to mark VPN apps that don't meet MASA criteria with a big red warning banner that warns users that the app is potentially unsafe?
Google wants to help Android users find more trustworthy VPN apps through better badging alerting to independent audits. The ad impresario and cloud concession has afforded independently audited applications in its Play store a more prominent display of their security bonafides, specifically a banner atop their Google Play …
I note that as of this writing, they don't seem to certify NORTON or DuckDuckGo VPNs.
It may also certify that it does not interfere with googles tracking.
This may be like the NSA certifying an encryption scheme. (Yes we can break in, but it us too hard for amatures.)
Google "do evil!"?
"There is no "safe" VPN, unless you run it yourself and then that's subject to a lot of ifs."
This. It's tough to know who to trust when it comes to VPNs. I suppose knowing who not to trust helps to narrow it down a bit.
I see a lot of VPN sponsored YouTube videos, all claiming to be the only thing you'll ever need, but that alone makes me wary of them. One more thing to add to my research list... :/
"This. It's tough to know who to trust when it comes to VPNs."
Torrent Freak does a survey of VPN providers and posts the responses they get back from their questionnaire. yeah, it's no guarantee, but it does tell you something about the services they provide. The one thing they ask is if the company uses Google Analytics. That, for me, would be an automatic disqualification.
Mullvad. IVPN. Proton*. That's pretty much it.
If it requires any PIA to register/pay, it's out.
If it does any sort of advertising or sponsorship that's also a hard pass.
Basically, run you own (wireguard + pihole are easy enough to set up) or use one of the above and pay with crypto.
*Proton is trustworthy/secure but requires PIA and has been known to comply with law enforcement. Caveat emptor.
Probably the same applies to any software. Unless you can, and have the ability to, audit the source code and build the application in a known secure environment you are pretty left to assign some level trust to any particular application.
Even if you were happy with the source and the build environment there are no guarantees and you haven't yet considered the run time environment. Also with VPN software there is trustworthyness of the peer network to consider and that of any intermediate systems.
About the best I might be able to achieve is when I have UDP connectivity between two systems I control and run wireguard between those two. Pretty much anything else for me is a compromise. These days I don't think I would bother with anything other than wireguard based services - I quite liked OpenVPN but it is a very much larger chunk of code.
As I understand both the Tailscale and Cloudflare VPN offerings are Wireguard based and from my limited experience appear to work reliably (Cloudflare doesn't do ping (icmp echo request/reply) which is initially a bit confusing.)
It comes down to who and what you are defending against. I often use a VPN just to make it that bit harder for advertisers and busybodies in local authority (not necessarily TLAs) to follow me, and also to have a relatively fixed IP address when travelling so I don't get pestered with 2FA and other annoyances to prove who I am every time.
When Google and most people say "VPN" they really mean a bundled service that provides access to <whatever> that needs it's own "app" to work.
Which isn't what I -= and I would sincerely hope a majority of Regtards would mean by it.
If I say "VPN" I mean exactly that - a Virtual Private Network over the internet. Where it's the nature of it's creating a tunnel that is key. Where to is slightly different.
Case in hand is we run OpenVPN into our office for remote workers.
Yes, and if you dare to turn off automatic updates in order to check whether an update is really a downgrade ("we're putting ads into the paid version of our app", my ass) the Play Store will pester you to no end, with a banner that takes up half of a phone's screen...
All these scam VPN client apps exist because the built-in Android VPN client sucks. What is it even compatible with? I once spent a two days trying different servers and never had a stable connection. Not even Google uses it for their VPN product.
I've been using Wireguard on Android and liking it. Not usually for privacy, but for creating a stable virtual network when I'm at a place that is running NAT independently on each one of their WiFi access points.
WireGuard's magic endpoint roaming is really its best killer feature. We use it extensively now, mainly because of that, and the general ease of configuration compared to the horrors of IPsec. But the ecosystem of tools around it is still very immature, which is a shame. We are building our own 'dashboard' to view and manage connected clients across multiple VPNs, but it's not production ready yet...