Some of the Android VPN apps available through the official Google Play Store request access to "dangerous" user permissions that a normal VPN app would have no use for, according to research viewed today by ZDNet.
The study, carried out by John Mason from TheBestVPN.com, analyzed 81 Android apps available for download through the Google Play Store.
Mason said he downloaded and extracted the permissions requested by each VPN app from their respective APK installer files.
The researcher used Google's definition for classifying permissions.
"Normal" referred to the permissions the Android OS gave apps without prompting the user --because they aren't considered a privacy risk.
"Dangerous" referred to permissions that accessed user data and which apps can only access after the user has granted explicit permission by clicking a button inside a popup window.
According to Mason, 50 of the 81 Android VPN apps he tested requested access to at least one dangerous permission that accessed user data.
While many apps had legitimate uses for the permissions they requested, some apps requested access permissions that a VPN app wouldn't normally need.
Mason said he discovered VPN apps that requested access to read/write permissions for external device storage, wanted access to precise location data, wanted the ability to read or write system settings, and, in some cases, wanted to access call logs or manage local files.
"In theory, VPN apps should only need a few permissions to function. INTERNET and ACCESS_NETWORK_STATE should usually be enough," Mason told us. "The use of a large number of dangerous permissions could be cause for suspicion."
Some of the biggest offender VPN apps are listed in the table below. This Google Docs spreadsheet includes a breakdown of every VPN app and the permissions it requested at the time of the tests. Mason's research will go live later today at this link.