Some Android VPN apps request access to sensitive permissions they don’t need

Some of the Android VPN apps available through the official Google Play Store request access to “dangerous” user permissions that a normal VPN app would have no use for, according to research viewed today by ZDNet.

The study, carried out by John Mason from TheBestVPN.com, analyzed 81 Android apps available for download through the Google Play Store.

Mason said he downloaded and extracted the permissions requested by each VPN app from their respective APK installer files.

The researcher used Google’s definition for classifying permissions.

“Normal” referred to the permissions the Android OS gave apps without prompting the user –because they aren’t considered a privacy risk.

“Dangerous” referred to permissions that accessed user data and which apps can only access after the user has granted explicit permission by clicking a button inside a popup window.

According to Mason, 50 of the 81 Android VPN apps he tested requested access to at least one dangerous permission that accessed user data.

While many apps had legitimate uses for the permissions they requested, some apps requested access permissions that a VPN app wouldn’t normally need.

Mason said he discovered VPN apps that requested access to read/write permissions for external device storage, wanted access to precise location data, wanted the ability to read or write system settings, and, in some cases, wanted to access call logs or manage local files.

“In theory, VPN apps should only need a few permissions to function. INTERNET and ACCESS_NETWORK_STATE should usually be enough,” Mason told us. “The use of a large number of dangerous permissions could be cause for suspicion.”

Some of the biggest offender VPN apps are listed in the table below. This Google Docs spreadsheet includes a breakdown of every VPN app and the permissions it requested at the time of the tests. Mason’s research will go live later today at this link.

VPN Name# of dangerous permissionExact permission name
Yoga VPN: Google Play link6android.permission.ACCESS_FINE_LOCATION
android.permission.READ_PHONE_STATE
android.permission.WRITE_SETTINGS
android.permission.ACCESS_COARSE_LOCATION
android.permission.READ_EXTERNAL_STORAGE
android.permission.WRITE_EXTERNAL_STORAGE
proXPN VPN:Google Play link5android.permission.ACCESS_FINE_LOCATION
android.permission.READ_PHONE_STATE
android.permission.ACCESS_COARSE_LOCATION
android.permission.READ_EXTERNAL_STORAGE
android.permission.WRITE_EXTERNAL_STORAGE
Hola Free VPN:Google Play link4android.permission.READ_PHONE_STATE
android.permission.ACCESS_FINE_LOCATION
android.permission.READ_EXTERNAL_STORAGE
android.permission.WRITE_EXTERNAL_STORAGE
Seed4.Me VPN:Google Play link4android.permission.ACCESS_FINE_LOCATION
android.permission.ACCESS_COARSE_LOCATION
android.permission.READ_EXTERNAL_STORAGE
android.permission.WRITE_EXTERNAL_STORAGE
OvpnSpider:Google Play link4android.permission.ACCESS_FINE_LOCATION
android.permission.READ_LOGS
android.permission.ACCESS_COARSE_LOCATION
android.permission.WRITE_EXTERNAL_STORAGE
SwitchVPN:Google Play link4android.permission.ACCESS_FINE_LOCATION
android.permission.ACCESS_COARSE_LOCATION
android.permission.READ_EXTERNAL_STORAGE
android.permission.WRITE_EXTERNAL_STORAGE
Zoog VPN:Google Play link4android.permission.ACCESS_FINE_LOCATION
android.permission.ACCESS_COARSE_LOCATION
android.permission.READ_EXTERNAL_STORAGE
android.permission.WRITE_EXTERNAL_STORAGE

[This article stolen from: https://www.zdnet.com/article/some-android-vpn-apps-request-access-to-sensitive-permissions-they-dont-need/]

Leave a Reply