In human speak, the primary purpose of these is to help secure you from bad people who might want to steal all that information you’ve been storing in the cloud (tax records, child’s birth certificate, etc).
One of my coworkers recently was the victim of a bad web service that didn’t use HTTPS to secure connections between his laptop and the site. His connection was sniffed at a coffee shop, and then shortly thereafter his password had been changed, his account was contacting people left and right attempting to get money for an emergency, and it took days to get everything straightened out.
Basically the thief waited until business hours of the website were past, then went to town while there was nobody there to handle things. Not only was my coworker put out by false charges, he also had to endure two days of his name being associated with a scammer due to a poorly secured web service.
Other things I’ve seen involve backdoors into apps, or bugs that can be exploited that allow hackers to gain information that they shouldn’t. Stagefright was one such method for Android, and several have been released for iOS as well however the ones I’ve seen of these have usually been more along the lines of managing to knock out secure connections so that data could later be sniffed.
Almost all of these methods depend on your phone being on the same network. There have been a couple of SMS-hacks, but those days are largely gone now that carriers filter texts for exploit code and most SMS clients have been patched.
So, you may be thinking that if you aren’t connected to a WiFi network you’d be safe. Unfortunately not. things such as Stingrays and compromised cell equipment still can sit there and sniff your data.
While compromising a carrier’s cell equipment is hard, and Stingrays cost money, it happens significantly more than you’d imagine. The 2014 Olympic Games in Sochi had compromised GSM equipment, compromised WiFi routers that people were connecting to because they were named things such as “xfinity”, “linksys”, along with various AT&T items. Most connections were just automatic, not even chosen.
Even just having WiFi enabled, some phones were broadcasting a list of known networks they were looking for and subsequently being presented with exactly what they wanted – a network name they’d connected to in the past.
What a VPN does is refuse to let any app on your phone talk to anyone except through it. You connect to a compromised network, doesn’t matter, your phone isn’t talking to anyone no matter what until a secure link is established between your device and the VPN provider.
All any compromised access point or provider equipment will see is encrypted traffic between you and a VPN provider. Assuming they somehow manage to break the encryption (looking at 70+ years usually expected time using all the computers on the planet,) your secured traffic that went over the already secured VPN will still have to be broken.
So probably not going to happen, but even if it did you’re still not vulnerable to most exploits because you’re not allowing apps to talk to anyone assuming you’ve got local network disabled.
Alternately you’re a big ol’ pirate and want to hide your torrents behind a VPN in Amsterdam where they don’t do anything against pirates, nor store logging information that would provide your internet service provider, the MPAA, or the RIAA information on your activities.
Either way a VPN might be beneficial for you.
However, a couple of things. If you don’t store lots of information on the cloud, use a different password for every service that you don’t have stored in a password manager, use two-factor authentication for services like Facebook and Google, don’t have WiFi turned on when you’re out of the house, you might be able to get by without any issues.
Alternately assuming you don’t have a terribly lot of important data, the cost of dealing with an account breakin might be less than the $50 or so a year of a service that keeps your device safe and potentially untraceable depending on which you use.
A little bit of transparency
VPN services give referers commission. I’m listing three VPN providers I use for work, travel, etc (all I’ve not seen a dime with and have used for months as of 1/19/2017.) Each one of them except Betternet you can figure a nearly 50% commission rate.
These things pay extremely well and as such I’d caution that you should never trust someone who has a $25 incentive to sell you on the service.
Services I’ve personally used and recommend as of 2017
Speedify’s current lack of two features bugs me. You can’t completely anonymously sign up for their service (IE use Bitcoin to pay, no return email address, etc,) and they don’t have the ability to not VPN certain apps.
Basically if you want some privacy you do not want spyware like Facebook reporting your current IP address. However, should you not be worried about complete and total anonymity to the VPN provider, this isn’t much of an issue.
Private Internet Access
is a service that is for the un-paranoid privacy paranoid. You’ll need to research them to see if you want to trust them or not, but they allow you to sign up with no real email, pay by bitcoin, shopping cards, prepaid cash card, etc, and claim they have no logging.
Torrent capable servers in every country they service, port forwarding in some countries in case you want to run a server of some sort, and generally most of what you need to keep yourself anonymous wherever you are.
PIA also allows you to choose per-app settings so maybe only your torrent client and that browser you use to peruse the warez is ever going to see the VPN while spyware apps just see your normal IP.
Downsides to PIA that I’ve seen is on iknowwhatyoudownload and several captcha sites you’re be lumped in with robots and hackers. This is going to eventually be a problem with most VPNs, PIA just has it now because they’re so popular, but I can’t get into my bank account when connected to PIA as they assume I’m a hacker.
But what about service_X?
Haven’t used it. Want to get me a review invite, sure I’ll play with it.
All that said, do you need a VPN?
Maybe, maybe not. They protect your kids from some things as well EG – your kid’s a dumbass and says some things that might ruin their life in what they think is an anonymous forum and then someone posts their IP address and the next thing you know there’s a trail leading right back to your house.
If you don’t do much online maybe not.
I’ve got a VPN we tunnel some work traffic through because I got tired of people getting work’s IPs blacklisted, torrent DMCA requests, MPAA threats, ISP warnings about viruses, etc for people who walked into the building and were bored in our lobby.
I’ve got a VPN for travel – Speedify, it’s great in crappy conditions and holds a VPN tunnel like no other VPN can (due to the multiple connections.) It holds up the best when dealing with events like CES where there are 170K people trying to get on the same WiFi.
And I’ve got Betternet because sometimes I want to poke around and don’t really care. Once again, not knocking Betternet.
However as it all comes down in the end to getting me $20-$25 in commissions, grab one of the pay ones (or get Betternet and PayPal me 😉 )