Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Privacy

Many Android VPN Apps Request 'Dangerous' Permissions They Don't Need (zdnet.com) 63

A VPN researcher found that many Android VPN apps request access to sensitive permissions that they don't need, according to an article shared by WaitingForSupport. ZDNet reports: The study, carried out by John Mason from TheBestVPN.com, analyzed 81 Android apps available for download through the Google Play Store. Mason said he downloaded and extracted the permissions requested by each VPN app from their respective APK installer files.... According to Mason, 50 of the 81 Android VPN apps he tested requested access to at least one dangerous permission that accessed user data...

Mason said he discovered VPN apps that requested access to read/write permissions for external device storage, wanted access to precise location data, wanted the ability to read or write system settings, and, in some cases, wanted to access call logs or manage local files. "In theory, VPN apps should only need a few permissions to function. INTERNET and ACCESS_NETWORK_STATE should usually be enough," Mason told us. "The use of a large number of dangerous permissions could be cause for suspicion."

This discussion has been archived. No new comments can be posted.

Many Android VPN Apps Request 'Dangerous' Permissions They Don't Need

Comments Filter:
  • by rmdingler ( 1955220 ) on Saturday March 09, 2019 @02:39PM (#58243476) Journal

    VPN's are the tech equivalent of burglar bars and a safe.

    You may not have anything of value in there, but it looks like you do.

    • VPN's are the tech equivalent of burglar bars and a safe.

      You may not have anything of value in there, but it looks like you do.

      Actually it's the tech equivalent of a bank safety deposit box room. You may not have anything of value in there, but if someone goes looking they're overwhelmed with lots of boxes and wouldn't even know where the hell to begin.

      So come at me bro, my IP address is: 185.220.70.138

  • The rest exfiltration
  • by QuietLagoon ( 813062 ) on Saturday March 09, 2019 @03:01PM (#58243560)
    ... nearly every app I look at to install asks for permissions that I know are not necessary for the app to perform its function.
    • by gweihir ( 88907 )

      Indeed. I recently needed an app to check on GPS status for another app that needs it to be good but provides no indication whether it is (talk about stupid coding...). It took me about 10 tries until I found one that actually only wanted location access but nothing else. The only explanation I have for this mess is clueless users that give apps all the permissions requested.

    • Then don't install any apps.

      Eventually you'll want features, and you'll be forced to ask: Why? Why do "all" the apps I look to install ask for excess permissions? Is it an inherent feature of apps, or is it merely a typical feature of apps that you get from a certain source?

      And the answer is oh so simple; you're getting apps from Brandybrand(TM) App Store, instead of from F-Droid.

      • ...Then don't install any apps....

        I don't go that far. I am just far more careful about the apps I do install, and use the permission granularity to my bnefit.

    • by dargaud ( 518470 )
      What we need are fine-tuned options for access: allow, disallow and fake-it. Most apps check the permissions and ask again (or refuse to run) if you go and disallow some of them. We need a "fake-it" option that the app thinks is 'allow' and that provides fake GPS data, fake (blank or white noise) microphone data, fake network access (extremely long timeouts...), etc...
  • The VPN app I use appears as "suspicious" in this analysis because it uses READ_EXTERNAL_STORAGE. So far as I can tell, this is needed to access downloaded files. The way I configure my VPN connection is to download a config file from a website and import it into the app. The config file includes certificates to a) authenticate me to the server, b) authenticate the server to me. Typing in a long binary string for (a) is not going to work, so the app needs to be able to read downloaded files. I think this c
    • If READ_EXTERNAL_STORAGE is required to simply read a few files from a private configuration directory, the Android security model sucks beyond all possible comprehension.

      Which it might. I would know this already for a real OS, only in this case I'm too afraid to even begin to peek under the hood.

      I stopped installing apps years ago for precisely this reason: what you don't know can hurt you; I don't want to learn the Android security model without brain bleach, and I don't want to learn the Android security

      • Comment removed based on user account deletion
    • It is needed only to upload files, or to save downloaded files in the Downloads directory instead of the app's private directory.

      Personally, that seems like a huge security risk. I want the VPN to provide the pipe, and only have the permissions for managing the pipe. Uploading and downloading files should be done by other apps, that live on the other side of that pipe.

      It is done for convenience, so you can download the config file normally, and then choose it from a file browser in the VPN app.

      I actually do

  • Coding is already very hard, but coding security critical components is even more so. At the same time, we have coders that are barely computer literate and could not code anything complicated of their life depended on it. The situation is worse wit "apps". Hence it is no surprise at all that VPN apps are generally speaking an insecure mess.

    • I'm not even convinced they're "security" apps, they might just be the "warez" tool of the modern age.

  • It would be nice ... (Score:2, Interesting)

    by PPH ( 736903 )

    ... if someone would build a phone OS with something like containers. So you could give an app all the permissions it wants. To do whatever it wants. Inside its own little sandbox.

    • ... if someone would build a phone OS with something like containers. So you could give an app all the permissions it wants. To do whatever it wants. Inside its own little sandbox.

      But what is contained in your "sandbox"? Would an app that needs to access your camera and/or microphone or GPS qualify as staying inside its sandbox? If yes, then even a sandboxed app could seriously invade your privacy if it operates in ways you don't expect. If not, then how could any mapping application or telecommunications tool (think Facetime, Skype, etc.) work inside your sandbox?

      • by PPH ( 736903 )

        But what is contained in your "sandbox"?

        Whatever I put there. If an app 'demands' access to my camera (or won't run) that I don't feel it needs, it gets a camera emulation with a picture of Mr Potato Head. For a microphone, a WAV file of Nickelback (looped forever).

    • ... if someone would build a phone OS with something like containers. So you could give an app all the permissions it wants. To do whatever it wants. Inside its own little sandbox.

      Resulting in what, a phone OS that confuses users with endless options which when they exercise cause random and hard to track breakage in individual app?

  • by Artem S. Tashkinov ( 764309 ) on Saturday March 09, 2019 @04:02PM (#58243794) Homepage

    Let's be completely honest:

    Many Android #What's your favorite topic again?# Apps Request 'Dangerous' Permissions They Don't Need

    And it's not entirely Google's fault. When you download applications for Windows you must also exercise caution and, unlike Android apps, most Windows applications require full access to your PC (some Windows applications even install low level drivers), so with Android you can at least have some control.

    What really annnoys me about Android is that often there's a nice nifty app which requires next to zero permissions and no access to the Internet, and then its developer decides he wants to monetize his app (which has suddenly become relatively popular), and this app suddenly starts showing full screen ads and send your private data God knows where.

  • and google play needs access to everything it asks for?
  • I wonder how does it correlates with nationality of the VPN provider [slashdot.org].
  • Nearly all apps available through the Google Play Store are malware - usually spyware. Android OS is privacy-hostile by design.

  • "A researcher found that many Android apps request access to sensitive permissions that they don't need."

    is anybody still not aware of this?

I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour ... -- F. H. Wales (1936)

Working...