Some of the Android VPN apps available through the official Google Play Store request access to "dangerous" user permissions that a normal VPN app would have no use for, according to research viewed today by ZDNet.
Security
The study, carried out by John Mason from TheBestVPN.com, analyzed 81 Android apps available for download through the Google Play Store.
Mason said he downloaded and extracted the permissions requested by each VPN app from their respective APK installer files.
The researcher used Google's definition for classifying permissions.
"Normal" referred to the permissions the Android OS gave apps without prompting the user --because they aren't considered a privacy risk.
"Dangerous" referred to permissions that accessed user data and which apps can only access after the user has granted explicit permission by clicking a button inside a popup window.
According to Mason, 50 of the 81 Android VPN apps he tested requested access to at least one dangerous permission that accessed user data.
While many apps had legitimate uses for the permissions they requested, some apps requested access permissions that a VPN app wouldn't normally need.
Mason said he discovered VPN apps that requested access to read/write permissions for external device storage, wanted access to precise location data, wanted the ability to read or write system settings, and, in some cases, wanted to access call logs or manage local files.
"In theory, VPN apps should only need a few permissions to function. INTERNET and ACCESS_NETWORK_STATE should usually be enough," Mason told us. "The use of a large number of dangerous permissions could be cause for suspicion."
Some of the biggest offender VPN apps are listed in the table below. This Google Docs spreadsheet includes a breakdown of every VPN app and the permissions it requested at the time of the tests. Mason's research will go live later today at this link.
| VPN Name | # of dangerous permission | Exact permission name |
| Yoga VPN | 6 | android.permission.ACCESS_FINE_LOCATION android.permission.READ_PHONE_STATE android.permission.WRITE_SETTINGS android.permission.ACCESS_COARSE_LOCATION android.permission.READ_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE |
| proXPN VPN | 5 | android.permission.ACCESS_FINE_LOCATION android.permission.READ_PHONE_STATE android.permission.ACCESS_COARSE_LOCATION android.permission.READ_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE |
| Hola Free VPN | 4 | android.permission.READ_PHONE_STATE android.permission.ACCESS_FINE_LOCATION android.permission.READ_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE |
| Seed4.Me VPN | 4 | android.permission.ACCESS_FINE_LOCATION android.permission.ACCESS_COARSE_LOCATION android.permission.READ_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE |
| OvpnSpider | 4 | android.permission.ACCESS_FINE_LOCATION android.permission.READ_LOGS android.permission.ACCESS_COARSE_LOCATION android.permission.WRITE_EXTERNAL_STORAGE |
| SwitchVPN | 4 | android.permission.ACCESS_FINE_LOCATION android.permission.ACCESS_COARSE_LOCATION android.permission.READ_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE |
| Zoog VPN | 4 | android.permission.ACCESS_FINE_LOCATION android.permission.ACCESS_COARSE_LOCATION android.permission.READ_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE |
The best VPN services: Our 10 favorite vendors for protecting your privacy
Related cybersecurity news coverage:
- Microsoft rolls out Google's Retpoline Spectre mitigation to Windows 10 users
- Researchers uncover ring of GitHub accounts promoting 300+ backdoored apps
- New exploit lets attackers take control of Windows IoT Core devices
- W3C finalizes Web Authentication (WebAuthn) standard
- Intel SGX Card expands SGX security protections to cloud data centers
- Adobe releases out-of-band update to patch ColdFusion zero-day
- How IoT is being used for Australian agriculture in 2019 TechRepublic
- Xiaomi electric scooter reportedly vulnerable to hijacking hack CNET