UFO VPN is a popular Hong Kong-based VPN provider which claims to have amassed a 20-million strong user base across the globe.
The website lists specs which are a little better than average in some areas, though not exceptional. UFO’s network is a decent size at 2,000+ servers across 50 countries, plus there’s support for unblocking Netflix, Disney Plus and BBC iPlayer, and a kill switch prevents you sending unprotected traffic if the VPN drops.
At least, this is what the company claims. More on the reality later.
At first glance, app coverage looks good, too, with clients for Windows, Mac, iOS and Android (you can connect up to five of your devices simultaneously).
But there’s a problem, too. Although UFO VPN’s Android page has a ‘Get it on Google Play’ button, clicking this doesn’t open a page at the Play Store. Instead, it simply downloads the app’s raw APK file.
We searched Google Play manually, and found an Android app named UFO VPN. This had a different icon and developer’s name, but its website was almost identical, and linked to the same iOS app as the original UFO VPN.
Why would the old app not be on Google Play, and what might persuade a company to set up a new website and use another developer name? The first UFO VPN website doesn’t say, but we have an idea.
UFO VPN logs exposed
In 2020, Comparitech reported finding a publicly available log containing millions of records on UFO VPN users.
Details included the IP addresses of user devices and VPN servers, connection timestamps, geo-tags, device characteristics, VPN session secrets and tokens, and more.
The databases also reportedly included passwords in plain text, perhaps allowing anyone who found this database to hijack user accounts. UFO VPN denied this, but a researcher claimed to verify the problem by setting a password for their own account, and watching it appear in the database.
The policy claims ‘UFO VPN does not collect, monitor, or log any traffic or use of its Virtual Private Network service, under any circumstances, on any platform.’ Collecting device identifiers, seeing when you connect, your own IP address and the server you’re accessing feels a lot like usage logging to us.
We’re not sure if this story is why UFO VPN’s app isn’t available on Google Play, and there’s a new UFO VPN on a separate website, and the company isn’t saying. As we write, its last Facebook post is dated January 2021, its blog and Twitter accounts haven’t seen any activity since 2020, and we didn’t see anything addressing the problem.
Whatever the reasons, the original UFO isn’t on Google Play right now, and you must manually install the app to use it on Android.
UFO VPN pricing
UFO VPN’s monthly billing is $11.99, a little more than most. Unusually, you can sign up for a one-off week, although as that’s still $7.99, we wouldn’t recommend it. The annual plan is a better deal at an effective $4.17.
The two-year plan wins out, though, at only $2.91 a month. That’s way below most of the competition, although there are a handful of cheaper deals around. Ivacy asks only $2.45 a month for its two-year contract, for instance (and throws in 2TB of cloud storage for free), while Private Internet Access has a three-year plan at just $2.19 a month.
Although the website mentions PayPal support in a couple of places, it wasn’t available during the review. Payments are taken by card and Bitcoin (via Coinspayments) only.
The site claims there’s a 30-day money-back guarantee. Sounds good, but we checked the small print, and there it mentions a 7-day refund period only.
Accounts are set up to automatically renew, but this can be handled via UFO’s payment provider, FasterPay. We received an email immediately after signing up with a cancellation link, and used this later to close our account in a couple of clicks.
UFO VPN also has a limited free version, apparently, with slower servers and fewer locations. This didn’t install for us, but maybe you’ll have better luck. Follow the Android Basic download link on the site, but remember, it’s not available on Google Play: you must install the APK file manually.
(As we mentioned earlier, the second UFO VPN website does have links to app on Google Play. It’s unclear how the two sites are connected, though, and we’d recommend you do not install it.)
UFO VPN’s data breach makes it difficult to take the company seriously on privacy.
Even if we ignored the issue of breaking its own logging policy, did UFO VPN really store user passwords in plain text, as reported? If so, that only leaves us wondering what other gaping security holes there might be elsewhere.
We figured we’d give the company a chance, though (hey, it’s our job), and browsed the rest of the website. The Features menu includes a Protocols page, which sounded interesting. Maybe this would have reassuring explanations of all the leading-edge protocols UFO VPN supports.
Well, no. ‘UFO VPN provides 4 protocols for users at present’, the page explained, before describing them as ‘Protocol A’, ‘Protocol B’, ‘Protocol C’ and ‘Protocol D’. Huh?
If you’re expecting details on ciphers or key exchange, forget it. The page states that ‘protocol A is designed to work with the fastest speed, ‘ ‘Protocol B is specially designed for making video calls’ and so on, but there’s nothing to help you assess any of this in privacy terms.
Signing up seemed easy, at least initially. UFO VPN had no problems taking our cash, and an email from the payment provider confirmed the subscription was set up.
The company was slower to provide any account details, but around 30 minutes an email (confusing titled ‘ufo unregister pay success email’) gave us our account password. It also included the mobile download links, but only the iOS URL worked (the Android link pointed to the now-dead Google Play page). Another sign that no one has cared about UFO for quite some time, maybe.
Fortunately, the download links are easy to find on the website, and within a couple of minutes we were ready to begin testing.
The UFO Windows app is very, very basic. There’s a big Connect button; a plain text list of countries; a choice of three cryptic protocols (A, C and D); and On/Off switches for the kill switch and a ‘Launch on Startup’ option. That’s it.
The location list caught our eye. Partly because it was so limited, with no server information, ping times, Favorites system, Recently Used list or anything faintly advanced. But mostly because, despite UFO VPN’s website claiming to offer 50 countries, the app only listed 21.
There’s no excuse for not delivering what customers have paid for, but UFO VPN does at least offer city-level locations in some countries (the US has 10).
We chose one, hit Connect, and the app connected to our server within 10 seconds. That’s not bad, and it gave us a chance to look at how it was protecting our traffic.
We didn’t analyze this in-depth, but first impressions weren’t good. UFO VPN uses components from an old open source package called BadVPN (we’re not making this up), which hasn’t seen any updates in a couple of years and is now listed as ‘not being maintained by the author’.
Maybe UFO VPN has taken over the project? Doesn’t look like it. The BadVPN component bundled with the app was dated 2019 and not digitally signed.
Configuration looked just as basic as we expected. A quality VPN runs its own DNS servers to reduce the chance of others seeing the sites you’re visiting, for instance. UFO VPN appears to redirect your queries to Google DNS. (It does route them through the tunnel, though, so these aren’t visible to your local network.)
The kill switch proved difficult to test, as we’ve never come across UFO VPN’s custom protocols before. We tried a couple of checks and found the app correctly blocked our internet each time. There’s no automated re-connect, so we had to close the connection manually and hit Connect again to get back online. But at least it protected our traffic, and compared to UFO VPN’s performance in the rest of this review, that’s an absolute triumph.
Netflix and streaming
Point your browser at the UFO VPN website and the headline you’ll see is ‘Unblock Any Website.’ Marketing spin, or does the service really deliver?
UFO VPN scored an immediate hit with BBC iPlayer, getting us access with all three UK locations.
It missed with US Netflix, unfortunately. Despite having a specialist Netflix server in Los Angeles, we weren’t able to stream US content.
The Disney Plus location failed to deliver, too. It’s based in Japan, and when we connected and tried to access the Disney Plus site, it gave us a simple ‘Disney Plus is unavailable at your location’ message.
We finished by checking Amazon Prime Video, but that was another miss. The site detected what we were doing, displayed its regular ‘Your device is connected to the Internet using a VPN or proxy service’ error, and demanded we ‘disable it and try again’.
If you really do want to ‘unblock any website’, then, UFO VPN isn’t going to help. Our tests show you’ll get much better results with providers including CyberGhost, ExpressVPN, Hide.me, Private Internet Access, ProtonVPN and Surfshark, all of which unblocked everything in their latest reviews.
We measure VPN speeds from US and UK locations, using several performance testing sites and services (SpeedTest’s website and command line app, TestMy.net, Netflix’s Fast.com and more). We check download speeds at least five times from each site, then again using another protocol, before repeating this all over again in an evening session.
UFO VPN’s US download speeds weren’t bad at all at 180-290Mbps with its Mode A protocol. It was even faster in the UK at 410-420Mbps. That’s more than just about anyone else manages with OpenVPN, although it can’t match the performance we’ve seen from WireGuard and similar connections (CyberGhost, IPVanish, NordVPN and others reached 700Mbps and more).
While UFO VPN deserves some credit for this, keep in mind that we’ve no idea how its Mode A protocol works, and so we don’t know if these are fair comparisons. There’s a chance the service is gaining some performance advantage because it’s not doing as much encryption, or omitting other steps that keep you safe.
UFO VPN’s support begins on the website, with a very, very basic FAQ. This has very few questions, and the answers you get are short and have no real detail.
If you’ve issues getting the service working on Android, for instance, you might think the article ‘How to start up UFO VPN on my Android?’ would help. But this is the entire article, unedited: ‘When you connect VPN at the first time, there will be a default popup windows that asks for your permission to allow UFO VPN to add VPN configuration on your device, just click ok to continue.’
There’s a search box, but that wasn’t much help, either. We entered common keywords such as protocol, speed and encryption, but the search engine didn’t find any matching results.
The app includes a Feedback box where you can ask questions, and it claims: ‘We will reply to you within 24 hours of working days’ (no, really – clarity isn’t UFO VPN’s strong point). We sent a simple message asking why the Windows app didn’t have half the locations listed on the website, but two weeks later, we still hadn’t received a reply.
UFO VPN doesn’t have live chat, but there is a Support email address, so we tried that, instead – 10 days on, still with no reply, we finally gave up. If you’re looking for customer service, this isn’t the VPN for you.
UFO VPN review: Final verdict
UFO VPN’s speeds aren’t bad, but the service has so many red flags that we’re struggling to care. That logging scandal, the useless support, claims of 50 countries covered but the app lists just 21, the Android app not being on Google Play, no blog or social media posts for months, and non-standard, undocumented protocols – all that’s before we even get to the two websites, the poor unblocking performance and lack of features. Don’t waste your time, you’ll be better off elsewhere.