Millions of Americans have downloaded apps that secretly route their internet traffic through Chinese companies, according to an investigation by the Tech Transparency Project (TTP), including several that were recently owned by a sanctioned firm with links to China’s military.

TTP’s investigation found that one in five of the top 100 free virtual private networks in the U.S. App Store during 2024 were surreptitiously owned by Chinese companies, which are obliged to hand over their users’ browsing data to the Chinese government under the country’s national security laws. Several of the apps traced back to Qihoo 360, a firm declared by the Defense Department to be a “Chinese Military Company." Qihoo did not respond to questions about its app-related holdings.

VPNs allow users to mask the IP address that can identify them, and, in theory, keep their internet browsing private. For that reason, they have been used by people around the world to sidestep government censorship or surveillance, or because they believe it will improve their online security. In the U.S., kids often download free VPNs to play games or access social media during school hours.

However, VPNs can themselves pose serious risks because the companies that provide them can read all the internet traffic routed through them. That risk is compounded in the case of Chinese apps, given China’s strict laws that can force companies in that country to secretly share access to their users’ data with the government.

It would be hard for U.S. users to avoid the Chinese VPNs. The ownership of many appeared deliberately opaque, with several concealing their structure behind layers of offshore shell companies. TTP was able to determine the Chinese ownership of the 20 VPN apps being offered to Apple’s U.S. users by piecing together corporate documents from around the world. None of those apps clearly disclosed their Chinese ownership.

The VPN apps identified by TTP have been downloaded more than 70 million times from U.S. app stores, according to data from AppMagic, a mobile apps market intelligence firm.

One Chinese VPN has been advertised on Facebook and Instagram to teens as young as 13, and some have targeted ads at Americans looking to keep using TikTok, another Chinese app threatened with a U.S. ban. U.S. lawmakers said they acted on TikTok over concerns it could collect data from its American users on behalf of the Chinese government. However, lawmakers have not given sustained attention to this wider category of VPN apps that could make Americans’ internet traffic available to Chinese authorities.

The findings raise questions about Apple’s carefully cultivated reputation for protecting user privacy. The company has repeatedly sought to fend off antitrust legislation designed to loosen its control of the App Store by arguing such efforts could compromise user privacy and security. But TTP’s investigation suggests that Apple is not taking adequate steps to determine who owns the apps it offers its users and what they do with the data they collect. More than a dozen of the Chinese VPNs were also available in Apple’s App Store in France in late February, showing that the issue extends to other Western markets.

Apple’s guidelines for app developers state that apps offering VPN services “may not sell, use, or disclose to third parties any data for any purpose.” It isn’t clear how Apple reconciles that policy with the presence of Chinese VPN apps in its App Store, given those apps can be required by law to turn over user data to Chinese authorities.

Apple and most of the app developers mentioned in this report did not respond to requests for comment. Emails sent to two of the apps, Thunder VPN and Snap VPN, bounced back as undeliverable, and another app, Speedy Quark VPN, provided an online contact form which was not functional.

China has enacted a series of national security laws over the last decade outlining its access to data held by Chinese companies. Chief among these is the country’s National Intelligence Law of 2017, which requires that China-based organizations and individuals cooperate with state intelligence work. According to guidance from the U.S. Department of Homeland Security, in practice, this means that Chinese intelligence agencies may demand access to data of U.S. individuals and businesses held by Chinese entities and even compel the creation of backdoors in equipment and software.

The guidance also specifically references apps, stating, “Data collected through software and mobile applications owned or operated by PRC firms is also accessible to the PRC government through its legal system.”

Citing the risks of China collecting data on U.S. users, Congress last year passed legislation forcing a sale or ban of TikTok, though President Trump has temporarily suspended enforcement of the law to give more time to find a potential buyer, and Apple and Google have restored TikTok to their app stores after briefly removing them.

In addition to the TikTok ban, the U.S. in 2020 forced Chinese gaming company Beijing Kunlun Tech to sell off U.S.-based Grindr, the LGBTQ dating app, amid concerns that the user data collected by the app, including HIV status, could be leveraged to blackmail American officials or military personnel.

The U.S. has also banned approvals of new telecommunications equipment from Huawei and other Chinese companies and authorized funds to help small and rural U.S. phone networks remove and replace Chinese-made telecom gear, which U.S. officials say provides an opportunity for spying on Americans.

A handful of U.S. lawmakers—including Sens. Mark Warner (D-VA), Ron Wyden (D-OR), and Marco Rubio (R-FL), who is now secretary of state—have raised alarm in recent years that foreign VPN apps, particularly those controlled by China or Russia, could be used to surveil U.S. government employees and spy on Americans. But the issue has not yet attracted major public attention or broader interest in Congress.

To test the availability of Chinese VPN apps in the Apple App Store, TTP started with a list of the top 100 most downloaded free VPN apps for iPhone and iPad in 2024 in the U.S., as ranked by AppMagic, a mobile apps market service. AppMagic estimates download data and app revenue based on public databases and information submitted by app developers who use its platform. (Apple does not provide exact download statistics for the App Store.)

App pages in the Apple App Store are required to provide the name of the developer and a link to the app’s privacy policy. For each of the free VPN apps in the dataset, TTP sought to identify the app developer’s location via information on the App Store page, the app’s privacy policy page, and any other external websites associated with the app. The research at times involved tracking ownership via layers of shell companies. If the app’s developer was based in Singapore, the Cayman Islands, Hong Kong, or mainland China, TTP examined corporate records where available.

Ultimately, TTP determined that 20 of the top 100 free VPN apps in the App Store were owned by companies or individuals based in mainland China or Hong Kong but did not clearly disclose their China ties. (Companies registered in Hong Kong are subject to that region’s own, separate national security laws, though most of the Hong Kong companies identified by TTP appeared to be shell companies operated by owners in mainland China.)

TTP excluded apps from its count that clearly labelled themselves as Chinese in the App Store, making their China connection clear to users.

TTP started with an app called Turbo VPN, which ranked 13th in the top 100 free VPN offerings in the Apple App Store last year. The app’s developer is listed as Innovative Connecting Pte. Ltd. (This company is also the developer of a free VPN app called Signal Secure VPN that is not in the top 100.)

Innovative Connecting Pte. Ltd is registered in Singapore, and corporate records there indicate its sole shareholder is an entity called Lemon Seed Technology Ltd. in the Cayman Islands.

A major Chinese cybersecurity company called 360 Security Technology, also known as Qihoo 360, stated in a 2019 annual report filed with the Shanghai Stock Exchange that it acquired Lemon Seed and two other companies for “US$69.4 million and an intangible asset.” The other companies were Lemon Clove Pte. Ltd. and Autumn Breeze Pte. Ltd.

This shows Qihoo 360 acquired the owner of Innovative Connecting, the developer of VPN apps in the Apple App Store. The U.S. Commerce Department sanctioned Qihoo 360 on national security grounds in June 2020, citing the “significant risk” that it takes part in the “procurement of commodities and technologies for military end-use in China.”

The company was put on the Commerce Department’s Entity List, which restricts its ability to receive U.S. exports without a license due to national security concerns. According to a 2015 article in the state-run China Daily, Qihoo 360’s customers have included China’s People’s Liberation Army and at least eight Chinese government ministries. It has been designated by the U.S. Department of Defense as a “Chinese military company” operating in the U.S.

Innovative Connecting—the app company that came under the control of Qihoo—is behind multiple VPNs through a network of interlocking companies, according to a previous report by industry research firm VPNpro.

Its companies developed two other VPNs in the top 100 free downloaded list last year—VPN Proxy Master (ranked 12th) and Thunder VPN (ranked 60th), as well as an unranked app, Snap VPN.

Qihoo 360 did not respond to questions about the current status of its app holdings, but TTP found evidence that suggests the company remains connected to the apps.

In its 2020 annual report, Qihoo 360 said it sold something called “Project L,” which appears to be the app-related companies Lemon Seed, Lemon Clove, and Autumn Breeze, to unnamed “external parties.” (Qihoo 360 does not describe Project L, but key pieces of information it does disclose about the project, including how much it cost to acquire and when it was originally acquired, match the information Qihoo provided for the three app-related companies.) The sale occurred in September 2020, according to Qihoo 360, a few months after the U.S. Commerce Department sanctioned the company as a national security threat.

However, corporate registration documents for Lemon Seed in the Cayman Islands as well as Lemon Clove, Autumn Breeze, and Innovative Connecting in Singapore suggest an ongoing connection with Qihoo 360. The most recent corporate filings for Lemon Seed, Lemon Clove, Autumn Breeze, and Innovative Connecting, from March 2025, all list one director, Chen Ningyi. (Three of the filings identify this person as a Chinese national.) The name Chen Ningyi is on a Qihoo patent from 2017. The Chinese version of this patent gives Chen’s name in Chinese characters, which matches an individual who was described in 2020 by China Daily, the mouthpiece of the Chinese Communist Party, as a general manager of 360 Mobile Guard, Qihoo 360’s mobile phone security app.

This same Chen Ningyi was also named a board member and legal representative of a Qihoo subsidiary when it was sold to another Chinese tech firm in March 2023. (See additional research details at the bottom of the report.)

Qihoo 360 may have entered the app business through a little-known Chinese company called Guangzhou Quanyong Information Technology Co., Ltd., TTP's investigation found.

Guangzhou Quanyong developed apps for Apple’s iOS and Android, and corporate records show it created several apps in the Innovative Connecting network. According an undated profile in PitchBook, which collects market data on mergers and acquisitions, Qihoo 360 acquired “SpringTech,” which appears to be the English name for Guangzhou Quanyong. (The “quan” in Quanyong means “spring.”) Guangzhou Quanyong officially dissolved in 2022, but shared the same address as the Qihoo subsidiary described above.

TurboVPN, the first VPN mentioned in this section, has been advertising itself on Facebook and Instagram this year. One of its ad campaigns, which ran in January and February, targeted Spanish-speaking users in the U.S., saying Turbo VPN can help with the threatened U.S. TikTok ban.

A number of the VPN apps in the Apple App Store traced back to Hong Kong companies, which were ultimately owned by individuals or companies in mainland China.

While Hong Kong may conjure up a benign image in the minds of some Americans, owing to its long history of relative autonomy from China, the region since 2020 has experienced a sharp crackdown on pro-democracy activists and opposition leaders orchestrated by the central government in Beijing. New Hong Kong national security laws have been used to justify this crackdown, including a controversial ordinance introduced in March 2024. Last year, the U.S. government issued a warning to American businesses operating in Hong Kong that they face risks of warrantless surveillance and forced surrender of data to authorities due to the region’s national security laws.

One of the apps examined by TTP, X-VPN, was the 4th most popular free VPN app in the U.S. for iPhone and iPad in 2024. The app’s page in the Apple App Store gives its developer as Free Connected Limited, a generic-sounding company with no obvious connection to China. However, the app’s privacy policy, which users must click to view outside the App Store, shows that Free Connected is based in Hong Kong.

TTP found Free Connected Limited listed in the Hong Kong government’s corporate registry and examined the company’s most recent annual filings. These filings indicate the company is actually owned by a Chinese tech firm, Chengdu Zhuozhuo Technology Co., Ltd. Chengdu Zhuozhuo’s website says the company is focused on “internet transmission and network resources integration.”

Free Connected Limited has run multiple ads for X-VPN on Google, with one ad from February promoting it to Americans as a way to get around the TikTok ban. “Best Free VPN for TikTok Ban,” the ad states, adding, “Use TikTok Anytime in US with X-VPN.”

Another app called VPNIFY, which ranked 25th among top free VPN apps, gives its developer as Neonetworks solution ltd. Again, this is not a name that gives any indication of a China connection. But at the bottom of Neonetworks’ externally linked privacy policy page, it gives a Hong Kong address.

Neonetworks’ 2024 incorporation form in Hong Kong shows that its sole shareholder is a Chinese citizen and resident of mainland China.

An app called VPN Bucks also had a Hong Kong connection. The app, ranked 22nd, gave its developer as Free Apps Limited, a company registered in Hong Kong that was dissolved in 2021. The company’s last annual report in Hong Kong showed that its sole shareholder was a Chinese citizen with an address in Guangzhou, southern China. VPN Bucks’ App Store page still listed Free Apps Limited as its developer in 2024 when TTP conducted its initial research; the app has since been removed from the App Store.

TTP also found that VPN Bucks’ privacy policy contained identical passages to that of VPN Proxy Master, an app described earlier in this report that is part of the Innovative Connecting network. The VPN Bucks’ privacy policy even retained a reference to “Innovative” in its text, in a line that began, “Innovative's registered place of business is in Singapore.” (TTP found no additional evidence connecting VPN Bucks to Innovative Connecting, and it is possible the developers of VPN Bucks simply copied the privacy policy of an Innovative Connecting app.)

It was a similar story with LinkWorldVPN, another app that fell just outside the top-100 ranking. TTP determined that its developer, MUSKETEER NETWORK TECHNOLOGY LIMITED, is a Hong Kong company. Corporate records there show the company’s sole officer/shareholder is a Chinese citizen with an address in mainland China.

LinkWorldVPN has disappeared from the Apple App Store since TTP conducted its initial research. But TTP found that the app ran a months-long ad campaign on Facebook and Instagram last year in both the U.S. and Europe.

Because Meta’s Ad Library preserves data about ads that run in the European Union in keeping with EU law, we can see that the LinkWorldVPN ads targeted users as young as 13.

Some of the apps identified by TTP appeared to be linked to companies outside China but ultimately showed evidence of Chinese ownership.

For example, one app examined by TTP, WireVPN - Fast VPN & Proxy (ranked 23rd), gives its developer as WEILAI NETWORK TECHNOLOGY CO., LIMITED.

TTP found an exact match for a UK-based company with this name, with an address in Warwickshire, England. However, the company’s sole director is a Chinese national who resides in China. According to UK corporate records, this Chinese national exercises “significant control” over the company, owning 75% or more of shares and voting rights.

As with previous examples in this report, this entity appears to be a shell company: Its most recent annual accounts filing in the UK indicates it had just £100 in assets and that it was dormant, meaning it had not recorded any business activity or income that year.

The app’s privacy policy includes language that appears to be lifted directly from Chinese government regulations prohibiting “harmful information” that hurts China’s national honor or attacks the Chinese Communist Party.

A similarly named app called Wirevpn – Secure & Fast VPN (ranked 68th) lists its developer as freevpn Ltd. That company is registered in Belize, but it has a privacy policy that is identical to the other WireVPN app mentioned above.

Two other apps, VPN Proxy OvpnSpider (ranked 36th) and Best VPN Proxy AppVPN (ranked 82nd), list their developer as WCOMES TECHNOLOGIES CO., LIMITED. TTP found corporate filings that indicate this is a Hong Kong company. According to its most recent annual return filed in Hong Kong, the company has two shareholders who are residents of mainland China, and at least one of them is a Chinese citizen.

According to independent researchers who looked at this company previously, it has a development team in Minsk, Belarus—which, like China, is an authoritarian country known for cracking down on dissent. Job listings on the WCOMES website note the company’s office location in Minsk.

TTP’s findings show that a significant number VPN apps in Apple’s App Store trace back to China, a fact that may be putting the privacy of American users, and U.S national security, at risk. Americans may be downloading these apps and using them to browse the internet without any knowledge that their data may be subject to China’s national security laws and accessible by the Chinese government. For Apple, a company that markets itself as a champion of user privacy and security, this is a glaring security oversight.

Additional research on Chen Ningyi, the Qihoo 360 subsidiary, and the app developer company Guangzhou Quanyong:

• According to a Chinese corporate data aggregator, in December 2019—the same month Qihoo 360 purchased the app-related companies Lemon Seed, Lemon Clove, and Autumn Breeze—Qihoo 360 set up a subsidiary in China called Guangzhou Qihoo Technology Co., Ltd.
• In April 2020, this Qihoo 360 subsidiary changed it address to the same one listed for the app developer company Guangzhou Quanyong (aka SpringTech). The subsidiary then changed its name in January 2021 to Guangzhou Lianchuang Technology Co., Ltd.
• Qihoo 360 sold the subsidiary in March 2023 to a small tech firm called Beijing Liefeng Technology Co., Ltd. At that time, Chen Ningyi was added to the subsidiary’s board of directors and made its legal representative. He stayed in those positions for a year before being replaced by the owner of Beijing Liefeng.
• As noted previously, a person named Chen Ningyi worked for Qihoo 360. The above sequence of events, with Chen Ningyi holding a key position at Beijing Liefeng for a year, raises questions about whether Qihoo 360 exercises some control or influence over the smaller tech firm. Qihoo 360 and Beijing Liefeng did not respond to questions about the relationship between the two companies.
• The subsidiary, Guangzhou Lianchuang, still appears to be active. On one Chinese job website, it describes itself as a company “focusing on the research and development and promotion of mobile Internet apps in overseas markets,” with offices in Singapore, Guangzhou, and Beijing.   

Additional research connecting Guangzhou Quanyong Information Technology Co., Ltd. with the Innovative Connecting family of apps:

• Chinese copyright data maintained by a Chinese corporate data aggregator indicates that Guangzhou Quanyong developed Snap VPN, which has been identified as part of the Innovative Connecting family of apps. The company also developed an app called Muslim Prayer, which is not available in the U.S. Apple App Store but is advertised on the website for ALL Connected, one of the Innovative Connecting entities.
• Data catalogued by a Chinese corporate record aggregator shows that Guangzhou Quanyong listed the email address coco@allconnected.co in its 2015 annual report, using the same domain as ALL Connected’s website. The following year, Guangzhou Quanyong listed the email coco@acnet.co, using a domain that is registered to Innovative Connecting in Singapore.

Additional research showing that “SpringTech” is the English name for Guangzhou Quanyong Information Technology Co., Ltd.:

• The PitchBook profile showing Qihoo acquired “SpringTech” gave an office address for SpringTech that matched the address for Guangzhou Quanyong in Chinese corporate records. (The profile also listed SpringTech’s website as acnet.co, a domain registered to Innovative Connecting in Singapore.)
• A profile of Guangzhou Quanyong on Job5156.com, a Chinese job recruitment website, gave “SpringTech” as its English name.
• A page for “Spring Tech” on the app analytics site Sensor Tower gave the company’s Chinese name as Guangzhou Quanyong.
• Innovative Connecting is listed as the owner of springtech.info on a list of web publishers maintained by the digital ad platform Liftoff.

Following are the remainder of the 20 apps not named in the body of the report. The lifetime U.S. downloads are from AppMagic:

#5, Ostrich VPN

• Listed developer: GeWare Technology Limited
• Lifetime U.S. downloads according to AppMagic: >5,000,000
• According to Hong Kong records, GeWare Technology Limited is a dissolved company whose sole shareholder was a Chinese citizen with a mainland China address.
• The Ostrich VPN website now gives the company name as Geware Mobile Limited. That is a Hong Kong company owned by a Chinese citizen who lists a Hong Kong address, according to corporate records. (The address, written in Chinese, matches that of a Hong Kong office building, which does not appear to have any residential component, according to its website.)

#38, HulaVPN

• Listed developer: Hula Link Technology Co., Ltd.
• Lifetime U.S. downloads according to AppMagic: >1,000,000
• The app is available both on the Apple App Store and Google Play store, but no information about the company is given on either page.
• TTP identified nothing with the name “Hula Link Technology” in searches of various global corporate records databases.
• However, the HTML code on the app’s Google Play page gives the developer’s name, in Chinese, as Guangzhou Hula Network Technology Co. Ltd. and gives an address for the company in Guangzhou, China.

#43, VPN Ⓟ (removed from App Store)

• This app was taken down at some point in 2024 before the URL was archived. Information on the app is still available on AppMagic.
• Lifetime U.S. downloads according to AppMagic: >200,000
• TTP was unable to find information on Top Free App, the developer of VPN Ⓟ, in any corporate records database. The app used a logo that matches that of the VPN Bucks app described earlier in this report. AppMagic’s description of VPN Ⓟ, pulled from the app’s now-defunct App Store page, indicates it was formerly called VPN Bucks Lite and had a privacy policy and terms of service for “VPN Bucks.”
• As noted previously, VPN Bucks traces back to a now-dissolved Hong Kong-registered company that was owned by a Chinese citizen with an address in southern China.

#48, Best V2ray (removed from App Store)

• Listed developer: Swan Technology Co., Ltd
• Lifetime U.S. downloads according to AppMagic: >500,000
• The privacy policy of this VPN lists its contact information as Swan Technology Ltd. in Shenzhen Futian, with an email address ending in qq.com.
• The qq.com email address is Chinese and “Shenzhen Futian” is an apparent reference to Futian, a district of Shenzhen, Guangdong province.
• TTP was unable to find an exact match for this company registered in Shenzhen. Its English name is likely unofficial.

#51, Alphaoo Net (removed from the App Store)

• Listed developer: QUICK STONE NETWORK TECHNOLOGY LIMITED
• Lifetime U.S. downloads according to AppMagic: >200,000
• Quick Stone is a company registered in Hong Kong.
• Hong Kong corporate records indicate its sole shareholder is a Chinese citizen with a Hong Kong address.

#78, SwiftLink VPN (removed from App Store)

• Listed developer: JOYFUL DOG (HK) CO., LIMITED
• Lifetime U.S. downloads according to AppMagic: >200,000
• This app was taken down at some point in early January 2025, before the URL was archived. Information on the app is still available on AppMagic.
• Hong Kong corporate records show the sole officer/shareholder of Joyful Dog is a Chinese citizen with an address in mainland China.

#84, Speedy Quark VPN

• Listed developer: Hefei Single Machine Placement Technology Co., Ltd.
• Lifetime U.S. downloads according to AppMagic: >2,000,000
• Hefei Single Machine is a subsidiary of Anhui Letang Holding Group Co., Ltd., a privately held company based in Anhui province, China, according to Chinese corporate record data aggregator Qichacha.
• The app's terms of service linked from the App Store page give the jurisdiction as the People's Republic of China.

#86, Now VPN

• Listed developer: World Creation Technology Limited
• Lifetime U.S. downloads according to AppMagic: >200,000
• Hong Kong corporate records show that World Creation’s sole shareholder and officer is a Chinese citizen, who lists an address identical to that of the company's Hong Kong registered agent (indicating they likely do not live at that address).
• An archived version of the App Store page shows it previously listed its developer as CTECH GLOBAL PTE LTD, which is a Singapore company with two shareholders, one Canadian and one Chinese.
• The Chinese CTECH shareholder, Zhao Faming, was described as the company’s founder in an article on the Hong Kong Trade Development Council website. The article also stated that CTECH had a branch in Guangzhou, China.
• TTP found no information on the relationship between CTECH and World Creation.

#87, Incognito Net (removed from App Store)

• Listed developer: Meteor Network Technology Limited
• Lifetime U.S. downloads according to AppMagic: >200,000
• This app was taken down before TTP began its investigation, but relevant information is available on AppMagic.
• Hong Kong corporate records that show the sole officer/shareholder of Meteor Network Technology is a Chinese citizen with an address in mainland China.

#100, Pearl VPN

• Listed developer: Xian YuanChuangYouPin Network Tech Limited
• Lifetime U.S. downloads according to AppMagic: >500,000
• According to Chinese corporate data aggregator Qichacha, this is a company in Xi'an, China. There is very little publicly available information about it.