Some of the Android VPN apps available through the official Google Play Store request access to “dangerous” user permissions that a normal VPN app would have no use for, according to research viewed today by ZDNet.
The study, carried out by John Mason from TheBestVPN.com, analyzed 81 Android apps available for download through the Google Play Store.
Mason said he downloaded and extracted the permissions requested by each VPN app from their respective APK installer files.
The researcher used Google’s definition for classifying permissions.
“Normal” referred to the permissions the Android OS gave apps without prompting the user –because they aren’t considered a privacy risk.
“Dangerous” referred to permissions that accessed user data and which apps can only access after the user has granted explicit permission by clicking a button inside a popup window.
According to Mason, 50 of the 81 Android VPN apps he tested requested access to at least one dangerous permission that accessed user data.
While many apps had legitimate uses for the permissions they requested, some apps requested access permissions that a VPN app wouldn’t normally need.
Mason said he discovered VPN apps that requested access to read/write permissions for external device storage, wanted access to precise location data, wanted the ability to read or write system settings, and, in some cases, wanted to access call logs or manage local files.
“In theory, VPN apps should only need a few permissions to function. INTERNET and ACCESS_NETWORK_STATE should usually be enough,” Mason told us. “The use of a large number of dangerous permissions could be cause for suspicion.”
Some of the biggest offender VPN apps are listed in the table below. This Google Docs spreadsheet includes a breakdown of every VPN app and the permissions it requested at the time of the tests. Mason’s research will go live later today at this link.
| VPN Name | # of dangerous permission | Exact permission name |
| Yoga VPN
Google Play link |
6 | android.permission.ACCESS_FINE_LOCATION android.permission.READ_PHONE_STATE android.permission.WRITE_SETTINGS android.permission.ACCESS_COARSE_LOCATION android.permission.READ_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE |
| proXPN VPN
Google Play link |
5 | android.permission.ACCESS_FINE_LOCATION android.permission.READ_PHONE_STATE android.permission.ACCESS_COARSE_LOCATION android.permission.READ_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE |
| Hola Free VPN
Google Play link |
4 | android.permission.READ_PHONE_STATE android.permission.ACCESS_FINE_LOCATION android.permission.READ_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE |
| Seed4.Me VPN
Google Play link |
4 | android.permission.ACCESS_FINE_LOCATION android.permission.ACCESS_COARSE_LOCATION android.permission.READ_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE |
| OvpnSpider
Google Play link |
4 | android.permission.ACCESS_FINE_LOCATION android.permission.READ_LOGS android.permission.ACCESS_COARSE_LOCATION android.permission.WRITE_EXTERNAL_STORAGE |
| SwitchVPN
Google Play link |
4 | android.permission.ACCESS_FINE_LOCATION android.permission.ACCESS_COARSE_LOCATION android.permission.READ_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE |
| Zoog VPN
Google Play link |
4 | android.permission.ACCESS_FINE_LOCATION android.permission.ACCESS_COARSE_LOCATION android.permission.READ_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE |
Related cybersecurity news coverage:
Microsoft rolls out Google’s Retpoline Spectre mitigation to Windows 10 usersResearchers uncover ring of GitHub accounts promoting 300+ backdoored appsNew exploit lets attackers take control of Windows IoT Core devices
W3C finalizes Web Authentication (WebAuthn) standardIntel SGX Card expands SGX security protections to cloud data centersAdobe releases out-of-band update to patch ColdFusion zero-day
How IoT is being used for Australian agriculture in 2019 TechRepublicXiaomi electric scooter reportedly vulnerable to hijacking hack CNET
Related Topics:
Security TV
Data Management
CXO
Data Centers