Many Android VPN Apps Request 'Dangerous' Permissions They Don't Need

A VPN researcher found that many Android VPN apps request access to sensitive permissions that they don't need, according to an article shared by WaitingForSupport. ZDNet reports: The study, carried out by John Mason from TheBestVPN.com, analyzed 81 Android apps available for download through the Google Play Store. Mason said he downloaded and extracted the permissions requested by each VPN app from their respective APK installer files.... According to Mason, 50 of the 81 Android VPN apps he tested requested access to at least one dangerous permission that accessed user data...

Mason said he discovered VPN apps that requested access to read/write permissions for external device storage, wanted access to precise location data, wanted the ability to read or write system settings, and, in some cases, wanted to access call logs or manage local files. "In theory, VPN apps should only need a few permissions to function. INTERNET and ACCESS_NETWORK_STATE should usually be enough," Mason told us. "The use of a large number of dangerous permissions could be cause for suspicion."

Tempting packets

[rmdingler]

VPN's are the tech equivalent of burglar bars and a safe.

You may not have anything of value in there, but it looks like you do.

Re:

[Aighearach]

You should really get out more.

Stop using Google Play store, use f-droid instead.

[Anonymous Coward]

I don't know why anyone would use apps from the Google Play Store... It's so full of garbage and adware. These days, I pretty much ONLY use apps from f-droid. They do a much better job of tightening up permissions and removing anti-features than anything Google is doing on the app store.

Re:

[thegarbz]

VPN's are the tech equivalent of burglar bars and a safe.

You may not have anything of value in there, but it looks like you do.

Actually it's the tech equivalent of a bank safety deposit box room. You may not have anything of value in there, but if someone goes looking they're overwhelmed with lots of boxes and wouldn't even know where the hell to begin.

So come at me bro, my IP address is: 185.220.70.138

Some just dumb

[aweol]

The rest exfiltration

Re:

[KiloByte]

For this reason, there's no real option other than demanding the source (and rights to modify and distribute) of every piece of code you run on your machine. In particular, this means no Android (and free forks lack drivers for any modern hardware).

Only then you can have a possibility of killing phone-home.

Re:

[currently_awake]

Android needs 3 permission settings: 1-yes, 2-no, 3-no but lie and give the app fake data.

Re:

[MightyMartian]

That may be a bit of an exaggeration, but frankly, if it's free and I'm routing my traffic through it because I want an encrypted tunnel, I'm not too sure I'd trust any free service, or even many for-pay services. I've been rolling my own VPNs for about a decade now, mainly using OpenVPN. Yes, it's had the odd hole, and you still have to trust the encryption libraries it uses, but at least I'm creating the keys for the damned thing. I'm not sure I'd put anything on my phone that I need encryption for, mind

Not just VPN apps...

[QuietLagoon]

... nearly every app I look at to install asks for permissions that I know are not necessary for the app to perform its function.

Re:

[gweihir]

Indeed. I recently needed an app to check on GPS status for another app that needs it to be good but provides no indication whether it is (talk about stupid coding...). It took me about 10 tries until I found one that actually only wanted location access but nothing else. The only explanation I have for this mess is clueless users that give apps all the permissions requested.

Re:

[Aighearach]

Then don't install any apps.

Eventually you'll want features, and you'll be forced to ask: Why? Why do "all" the apps I look to install ask for excess permissions? Is it an inherent feature of apps, or is it merely a typical feature of apps that you get from a certain source?

And the answer is oh so simple; you're getting apps from Brandybrand(TM) App Store, instead of from F-Droid.

Re:

[QuietLagoon]

...Then don't install any apps....

I don't go that far. I am just far more careful about the apps I do install, and use the permission granularity to my bnefit.

Re:

[dargaud]

What we need are fine-tuned options for access: allow, disallow and fake-it. Most apps check the permissions and ask again (or refuse to run) if you go and disallow some of them. We need a "fake-it" option that the app thinks is 'allow' and that provides fake GPS data, fake (blank or white noise) microphone data, fake network access (extremely long timeouts...), etc...

READ_EXTERNAL_STORAGE

[henryteighth]

The VPN app I use appears as "suspicious" in this analysis because it uses READ_EXTERNAL_STORAGE. So far as I can tell, this is needed to access downloaded files. The way I configure my VPN connection is to download a config file from a website and import it into the app. The config file includes certificates to a) authenticate me to the server, b) authenticate the server to me. Typing in a long binary string for (a) is not going to work, so the app needs to be able to read downloaded files. I think this c

brain bleach connundrum

[epine]

If READ_EXTERNAL_STORAGE is required to simply read a few files from a private configuration directory, the Android security model sucks beyond all possible comprehension.

Which it might. I would know this already for a real OS, only in this case I'm too afraid to even begin to peek under the hood.

I stopped installing apps years ago for precisely this reason: what you don't know can hurt you; I don't want to learn the Android security model without brain bleach, and I don't want to learn the Android security

Re:

[jaklode]

That is mostly correct. Unfortunately, if you want to access other files, it's not that easy - think import/export settings. The documentation says to use ACTION_CREATE_DOCUMENT, and that works fine - mostly. On Xiaomi phones, it will just pop up a dialog telling the user to enable external storage permissions. The user can toggle that on in settings - if it's listed in the manifest (that said, you do not have to request the permission in the app at runtime and just leave that crutch for poor MIUI users).

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Aighearach]

It is needed only to upload files, or to save downloaded files in the Downloads directory instead of the app's private directory.

Personally, that seems like a huge security risk. I want the VPN to provide the pipe, and only have the permissions for managing the pipe. Uploading and downloading files should be done by other apps, that live on the other side of that pipe.

It is done for convenience, so you can download the config file normally, and then choose it from a file browser in the VPN app.

I actually do

Re:

[Aighearach]

Seriously, are people completely fucking stupid?

Yes. Seriously.

Hontony honta, nya.

Wannabe security coders

[gweihir]

Coding is already very hard, but coding security critical components is even more so. At the same time, we have coders that are barely computer literate and could not code anything complicated of their life depended on it. The situation is worse wit "apps". Hence it is no surprise at all that VPN apps are generally speaking an insecure mess.

Re:

[Aighearach]

I'm not even convinced they're "security" apps, they might just be the "warez" tool of the modern age.

Re:

[Aighearach]

Who's going to say no?

1) Anyone with a brain
2) Anyone who knows what a VPN is for
3) Anyone who knows about F-Droid and has better options.

I know, I know, that's only a few dozen people, but they're the people who matter.

It would be nice ...

[PPH]

... if someone would build a phone OS with something like containers. So you could give an app all the permissions it wants. To do whatever it wants. Inside its own little sandbox.

Re:

[BitterOak]

... if someone would build a phone OS with something like containers. So you could give an app all the permissions it wants. To do whatever it wants. Inside its own little sandbox.

But what is contained in your "sandbox"? Would an app that needs to access your camera and/or microphone or GPS qualify as staying inside its sandbox? If yes, then even a sandboxed app could seriously invade your privacy if it operates in ways you don't expect. If not, then how could any mapping application or telecommunications tool (think Facetime, Skype, etc.) work inside your sandbox?

Re:

[PPH]

But what is contained in your "sandbox"?

Whatever I put there. If an app 'demands' access to my camera (or won't run) that I don't feel it needs, it gets a camera emulation with a picture of Mr Potato Head. For a microphone, a WAV file of Nickelback (looped forever).

Re:

[thegarbz]

... if someone would build a phone OS with something like containers. So you could give an app all the permissions it wants. To do whatever it wants. Inside its own little sandbox.

Resulting in what, a phone OS that confuses users with endless options which when they exercise cause random and hard to track breakage in individual app?

Clarification

[Artem S. Tashkinov]

Let's be completely honest:

Many Android #What's your favorite topic again?# Apps Request 'Dangerous' Permissions They Don't Need

And it's not entirely Google's fault. When you download applications for Windows you must also exercise caution and, unlike Android apps, most Windows applications require full access to your PC (some Windows applications even install low level drivers), so with Android you can at least have some control.

What really annnoys me about Android is that often there's a nice nifty app which requires next to zero permissions and no access to the Internet, and then its developer decides he wants to monetize his app (which has suddenly become relatively popular), and this app suddenly starts showing full screen ads and send your private data God knows where.

monkey see monkey do

[a voice in the crowd]

and google play needs access to everything it asks for?

Chineese VPN

[manu0601]

I wonder how does it correlates with nationality of the VPN provider [slashdot.org].

Play Store = malware

[astrofurter]

Nearly all apps available through the Google Play Store are malware - usually spyware. Android OS is privacy-hostile by design.

drop VPN and still true

[sad_]

"A researcher found that many Android apps request access to sensitive permissions that they don't need."

is anybody still not aware of this?