Many Android VPN Apps Request 'Dangerous' Permissions They Don't Need

A VPN researcher found that many Android VPN apps request access to sensitive permissions that they don't need, according to an article shared by WaitingForSupport. ZDNet reports: The study, carried out by John Mason from TheBestVPN.com, analyzed 81 Android apps available for download through the Google Play Store. Mason said he downloaded and extracted the permissions requested by each VPN app from their respective APK installer files.... According to Mason, 50 of the 81 Android VPN apps he tested requested access to at least one dangerous permission that accessed user data...

Mason said he discovered VPN apps that requested access to read/write permissions for external device storage, wanted access to precise location data, wanted the ability to read or write system settings, and, in some cases, wanted to access call logs or manage local files. "In theory, VPN apps should only need a few permissions to function. INTERNET and ACCESS_NETWORK_STATE should usually be enough," Mason told us. "The use of a large number of dangerous permissions could be cause for suspicion."

Tempting packets

[rmdingler]

VPN's are the tech equivalent of burglar bars and a safe.

You may not have anything of value in there, but it looks like you do.

Re:Tempting packets

That's the dumbest thing I'll read this morning, thanks.

Re:Tempting packets

[Aighearach]

You should really get out more.

Re:Tempting packets

Are there dumber things to read outside somewhere? I'd tend to doubt it. This ^^ is king. "A VPN is like burglar bars and a safe" - You can't just derp this stuff up. It reigns as the dumbest thing I did in fact read all morning.

Now that it's the afternoon, please, continue. That spot has not been claimed by such equivalent idiocy yet. Maybe a car analogy, a VPN is like a smoking U-haul van or something absolutely stupid in that direction, hmm?

Re:Tempting packets

[thegarbz]

VPN's are the tech equivalent of burglar bars and a safe.

You may not have anything of value in there, but it looks like you do.

Actually it's the tech equivalent of a bank safety deposit box room. You may not have anything of value in there, but if someone goes looking they're overwhelmed with lots of boxes and wouldn't even know where the hell to begin.

So come at me bro, my IP address is: 185.220.70.138

Some just dumb

[aweol]

The rest exfiltration

You can't save people from themselves

Look, Android is total shite—as evidenced by all this nonsense, Androids doesn't even begin to provide an adequate framework with which to compute in a mobile fashion.

HOWEVER, permissions can be managed by users to a degree, and users are free to think about what they are putting on their own systems. So, if people get screwed, I don't really care; you'll go insane trying to save people from their own stupidity.

Re:You can't save people from themselves

[KiloByte]

For this reason, there's no real option other than demanding the source (and rights to modify and distribute) of every piece of code you run on your machine. In particular, this means no Android (and free forks lack drivers for any modern hardware).

Only then you can have a possibility of killing phone-home.

Re: You can't save people from themselves

I am not surprised by this at all - the very reason for existence of many free VPN services is to spy on users.

Re: You can't save people from themselves

[MightyMartian]

That may be a bit of an exaggeration, but frankly, if it's free and I'm routing my traffic through it because I want an encrypted tunnel, I'm not too sure I'd trust any free service, or even many for-pay services. I've been rolling my own VPNs for about a decade now, mainly using OpenVPN. Yes, it's had the odd hole, and you still have to trust the encryption libraries it uses, but at least I'm creating the keys for the damned thing. I'm not sure I'd put anything on my phone that I need encryption for, mind you.

Re:You can't save people from themselves

[currently_awake]

Android needs 3 permission settings: 1-yes, 2-no, 3-no but lie and give the app fake data.

Re: You can't save people from themselves

My_Cute_Hello_Puppy.apk

(Informatve message with a Russian novel's worth of permissions the app 'needs') ::15 year old girl hits [ACCEPT]::

Got called out for this once on my own app

I put a mobile game out years ago when someone tech savvy reached out to me to say I didn't need a certain permission (I think it was READ_PHONE_STATE). I replied that an API I used required it according to their documentation, and they responded "No it doesn't."

I dug into it and found that they were right and the documentation was wrong. I replied back that I pushed out a fix and thanked them for pointing it out.

Everyone walked away happy. Would be nice if something like that happened with those 50 apps.

Is there a review site would shows this?

It would be great to see a review site that shows what permissions apps are requesting. Maybe I'll build one.

Nonsense.

Android. Google. Safe. By definition.

I know these things.

Get your hotdogs. Get your hotdogs.

It's called an operating system.

Google built a shit OS, or people aren't bothering to manage the permissions of the apps they install.

Notice that's not an exclusive "or".

Not just VPN apps...

[QuietLagoon]

... nearly every app I look at to install asks for permissions that I know are not necessary for the app to perform its function.

Re:Not just VPN apps...

[gweihir]

Indeed. I recently needed an app to check on GPS status for another app that needs it to be good but provides no indication whether it is (talk about stupid coding...). It took me about 10 tries until I found one that actually only wanted location access but nothing else. The only explanation I have for this mess is clueless users that give apps all the permissions requested.

Re:Not just VPN apps...

[Aighearach]

Then don't install any apps.

Eventually you'll want features, and you'll be forced to ask: Why? Why do "all" the apps I look to install ask for excess permissions? Is it an inherent feature of apps, or is it merely a typical feature of apps that you get from a certain source?

And the answer is oh so simple; you're getting apps from Brandybrand(TM) App Store, instead of from F-Droid.

Re:Not just VPN apps...

F-Droid apps ask for too many permissions as well.

Re:Not just VPN apps...

[dargaud]

What we need are fine-tuned options for access: allow, disallow and fake-it. Most apps check the permissions and ask again (or refuse to run) if you go and disallow some of them. We need a "fake-it" option that the app thinks is 'allow' and that provides fake GPS data, fake (blank or white noise) microphone data, fake network access (extremely long timeouts...), etc...

Re:Not just VPN apps...

Yes, Android is the Windows 95 of this century. Oh, and web applications are too. It's fucking moronic to run untrusted code on your device. Period.

Re:Not just VPN apps...

[QuietLagoon]

...Then don't install any apps....

I don't go that far. I am just far more careful about the apps I do install, and use the permission granularity to my bnefit.

READ_EXTERNAL_STORAGE

[henryteighth]

The VPN app I use appears as "suspicious" in this analysis because it uses READ_EXTERNAL_STORAGE. So far as I can tell, this is needed to access downloaded files. The way I configure my VPN connection is to download a config file from a website and import it into the app. The config file includes certificates to a) authenticate me to the server, b) authenticate the server to me. Typing in a long binary string for (a) is not going to work, so the app needs to be able to read downloaded files. I think this counts as "core required functionality" rather than "suspicious behaviour"

Re:READ_EXTERNAL_STORAGE

You could simply put your config file on INTERNAL storage instead, and then the app would not need READ_EXTERNAL_STORAGE permission. Surely the config file is not so big that it requires an SD card worth of storage space...

Re:READ_EXTERNAL_STORAGE

[Aighearach]

It is needed only to upload files, or to save downloaded files in the Downloads directory instead of the app's private directory.

Personally, that seems like a huge security risk. I want the VPN to provide the pipe, and only have the permissions for managing the pipe. Uploading and downloading files should be done by other apps, that live on the other side of that pipe.

It is done for convenience, so you can download the config file normally, and then choose it from a file browser in the VPN app.

I actually don't even want the app to support changing the config; I bake my config into the APK, and if I need to change it, I generate a new APK from a secure workstation. That's the sort of process you need if you really want security; though you could also just install the config file with adb push.

Regular users who don't have a continuous integration process that generates the config files should probably not have config files, and just input the settings into the app directly, and use app data backup to prevent most cases of needing to re-enter the data.

Re:READ_EXTERNAL_STORAGE

[squiggleslash]

EXTERNAL STORAGE in this context is the area where all the files you create yourself (such as your photos) gets loaded. It has that name because in early Android phones, the SD card was the only place to do it. Users don't have access to what would be termed "internal" storage in Android, you certainly can't copy arbitrary files to it.

^THIS!

It's a sign of incompetence. It means the developer doesn't know or understand the Android libraries or how the OS does things. It also can mean the developer is doing things behind the scenes that we may not like - logging location data, getting contact lists for scams, uploading pictures to maybe get selfie porn too put on some porn website.

In either case, developers should be ashamed of themselves - like Torque. WTF does he need access to my contact list?! Or my photos?! What an asshole!

VPN - all your data belong to me.

Said the security services, as they created their own VPN companies and android apps. And Samsung, under the guise of 'secure wifi' which really was 'MARKET RESEARCH ALL YOUR PACKETS'!

Seriously, are people completely fucking stupid?

Re:VPN - all your data belong to me.

[Aighearach]

Seriously, are people completely fucking stupid?

Yes. Seriously.

Hontony honta, nya.

brain bleach connundrum

[epine]

If READ_EXTERNAL_STORAGE is required to simply read a few files from a private configuration directory, the Android security model sucks beyond all possible comprehension.

Which it might. I would know this already for a real OS, only in this case I'm too afraid to even begin to peek under the hood.

I stopped installing apps years ago for precisely this reason: what you don't know can hurt you; I don't want to learn the Android security model without brain bleach, and I don't want to learn the Android security model with brain bleach, either.

Disable apps, no bleach required.

Re:brain bleach connundrum

Nothing needs read_external_storage anymore in android - the app has it's own private data store automatically if it wants to store its own files.

If you see READ_EXTERNAL_STORAGE, then either:

a) The app is extremely ancient
b) The app targets ancient versions of android
c) The developer is an idiot and doesn't know what permissions are really needed
d) The developer is doing something they should not.

9 times out of 10, because of business and employee crap, its option (c) because time, can't be bothered, and 'not my problem'. But obiously the answer it to simply not install any app that needs that permission

Re:brain bleach connundrum

[jaklode]

That is mostly correct. Unfortunately, if you want to access other files, it's not that easy - think import/export settings. The documentation says to use ACTION_CREATE_DOCUMENT, and that works fine - mostly. On Xiaomi phones, it will just pop up a dialog telling the user to enable external storage permissions. The user can toggle that on in settings - if it's listed in the manifest (that said, you do not have to request the permission in the app at runtime and just leave that crutch for poor MIUI users). So, if you want to do any import/export thing, you need the permission in your manifest, or it won't work on Xiaomi.

Re:brain bleach connundrum

If your phone doesn't support App permissions now granted individually at run-time, not all-or-nothing at install time, then your phone is hopelessly out of date, and it contains dozens of un-patched critical security flaws, so app permissions are the least of your concern.

Step 1. Buy a newer phone.
Step 2. Remove your sim card from the old phone and put it in the new phone.

Re:brain bleach connundrum

[squiggleslash]

If READ_EXTERNAL_STORAGE is required to simply read a few files from a private configuration directory, the Android security model sucks beyond all possible comprehension.

Correct, it's pretty awful, it's better than iOS or Windows or Ubuntu, but that's not exactly difficult. The "SD card" or "External storage" is used as a generic file dumping ground, in much the same way your home directory is on every desktop operating system.

As to why it hasn't been fixed: as usual, the problem is legacy bullshit. Originally Android expected applications to store information that didn't come with the app itself on an external SD card. The external SD card in turn was formatted as FAT. In functionality terms, everything you'd expect to go in your home directory in a desktop OS is stored on the real, or virtual, "external" storage, and so it became the defacto home directory.

Google slowly integrated the external SD card into the system and changed the file system to something with permissions, but for some reason (presumably because so many existing apps relied upon having carte-blanche access to the SD card) the operating system's permission framework never reflected this. So, just as even the latest version of Windows allows applications to look at every file in your home directory, and the latest version of Ubuntu allows applications to look at every file in your home directory, and macOS lets you... etc... the current Android security model allows applications to have complete access to the "SD card" if you let them. Which is slightly better than those desktop operating systems (at least you can disable access), but not much.

I'm struggling to think of an OS that does this right at the moment. I don't think there's a single one. Which is depressing because the whole "Every app has access to $HOME" has been a problem long before mobile operating systems were a thing, people used to claim how much better NT was than 95 because "a trojan can't overwrite the OS". Well, sure, no, but the OS isn't what I'm worried about, that part of the system is pretty easy to restore. My home directory? Not so much.

Re: brain bleach connundrum

It requires apps to be developed in the correct way for that functionality to work.
Developers who want to do dodgy stuff still use the all or nothing method

IL5 VPN "apps"?

Serious question because in the decade or so of using a VPN on my phones, I've never , ever had to install anything else but OpenVPN or use the built in IPSec clients. Are people really using proxy software whiel calling it a VPN?

Re:IL5 VPN "apps"?

From what I understand (which may well be wrong), is that these "extra" apps, also change some settings so that only VPN related traffic is directed over the VPN (such as company IP addresses if you're connecting in to work), rather than everything.

Of course if you're using them to hide who you are, then that shouldn't need to happen.

Wannabe security coders

[gweihir]

Coding is already very hard, but coding security critical components is even more so. At the same time, we have coders that are barely computer literate and could not code anything complicated of their life depended on it. The situation is worse wit "apps". Hence it is no surprise at all that VPN apps are generally speaking an insecure mess.

Re:Wannabe security coders

[Aighearach]

I'm not even convinced they're "security" apps, they might just be the "warez" tool of the modern age.

And this is news, because?

It's how the permissoin system works: Developer tinkers around, hates getting nagged at so requests the kitchen sink.

Users get only this choice: Swallow the whole thing by saying "yes here's my firstborn", or not get to use the app. Who's going to say no?

Re:And this is news, because?

[Aighearach]

Who's going to say no?

1) Anyone with a brain
2) Anyone who knows what a VPN is for
3) Anyone who knows about F-Droid and has better options.

I know, I know, that's only a few dozen people, but they're the people who matter.

It would be nice ...

[PPH]

... if someone would build a phone OS with something like containers. So you could give an app all the permissions it wants. To do whatever it wants. Inside its own little sandbox.

Re:It would be nice ...

[BitterOak]

... if someone would build a phone OS with something like containers. So you could give an app all the permissions it wants. To do whatever it wants. Inside its own little sandbox.

But what is contained in your "sandbox"? Would an app that needs to access your camera and/or microphone or GPS qualify as staying inside its sandbox? If yes, then even a sandboxed app could seriously invade your privacy if it operates in ways you don't expect. If not, then how could any mapping application or telecommunications tool (think Facetime, Skype, etc.) work inside your sandbox?

Re:It would be nice ...

"Moronic Android user briefly contemplates other, better operating systems online, then goes back to sucking Vladimir Putin's cock in his head."

Re:It would be nice ...

Then you can let the container access those things you want, instead of having the microphone always appear silent, and the camera always be dark.

Re:It would be nice ...

[PPH]

But what is contained in your "sandbox"?

Whatever I put there. If an app 'demands' access to my camera (or won't run) that I don't feel it needs, it gets a camera emulation with a picture of Mr Potato Head. For a microphone, a WAV file of Nickelback (looped forever).

Re:It would be nice ...

[thegarbz]

... if someone would build a phone OS with something like containers. So you could give an app all the permissions it wants. To do whatever it wants. Inside its own little sandbox.

Resulting in what, a phone OS that confuses users with endless options which when they exercise cause random and hard to track breakage in individual app?

Stop using Google Play store, use f-droid instead.

I don't know why anyone would use apps from the Google Play Store... It's so full of garbage and adware. These days, I pretty much ONLY use apps from f-droid. They do a much better job of tightening up permissions and removing anti-features than anything Google is doing on the app store.

Clarification

[Artem+S.+Tashkinov]

Let's be completely honest:

Many Android #What's your favorite topic again?# Apps Request 'Dangerous' Permissions They Don't Need

And it's not entirely Google's fault. When you download applications for Windows you must also exercise caution and, unlike Android apps, most Windows applications require full access to your PC (some Windows applications even install low level drivers), so with Android you can at least have some control.

What really annnoys me about Android is that often there's a nice nifty app which requires next to zero permissions and no access to the Internet, and then its developer decides he wants to monetize his app (which has suddenly become relatively popular), and this app suddenly starts showing full screen ads and send your private data God knows where.

Re:Clarification

You can find out where. Try Bolkada. You'll need to enable the log.

monkey see monkey do

[a+voice+in+the+crowd]

and google play needs access to everything it asks for?

location

let's not forgot that some moron at google decided that the only way to get the state of wifi (to tell if you change network, if its connected etc) was to also require location permissions

Stock OpenVPN package. Not customized by VPN selle

People should use the stock GPL openvpn package from openvpn.net. Import the settings for your provider.
* Read SD card - so it can import settings
* Full network - duh.
* View network connections - duh.
* Install Shortcuts - place icon on home screen
* Run at startup - for those people who always want VPN running/Network-Kill option.

It actually works without root.
If you don't like using google, get it from the f-droid appstore.

Oh ... sorry apple people. Apple hates the GPL.

Re: Stop using Google Play store, use f-droid inst

That is so true

Chineese VPN

[manu0601]

I wonder how does it correlates with nationality of the VPN provider.

Check the permissions

... wanted to access call logs ...

There's only two reasons for this: 1) re-inventing the phone/email applet interface, 2) spying.

Ditto for contact/email list and current location

I got rid of all navigation applets because they accessed all this information, even those with an offline database. I also decided that Skype wasn't worth the loss of privacy it caused.

Android includes cloud-storage interfaces so applets don't have to open a universal network socket. Yet, many applets claim cloud-storage but don't use the built-in interface. Anyone who cares about privacy will check the permissions of an applet before downloading.

Re:Stock OpenVPN package. Not customized by VPN se

I'm quite content going into the VPN menu option on my iPhone and configuring it manually without downloading a VPN app at all.

Play Store = malware

[astrofurter]

Nearly all apps available through the Google Play Store are malware - usually spyware. Android OS is privacy-hostile by design.

I can see a VPN wanting location data...

As that would permit contacting a more local connection point.

But other than that... nothing.

Permissions

"Flashlight" needs access to:

-Contacts
-GPS Location
-Phone
-Files
-Photos
-IMEI / Serial Number
-SIM Card Contacts
-Data

Nope, nothing untowards here.

Re: Stock OpenVPN package. Not customized by VPN s

Oh ... sorry apple people. Apple hates the GPL.

What uninformed BS.

I use an iphone because it is more secure and private.

I use OpenVPN on ios, connecting to my own OVPN server on Linux. Installing the app and configuration / certificate file was trivial, unlike Android apparently. And the app has no access to my other data.

drop VPN and still true

[sad_]

"A researcher found that many Android apps request access to sensitive permissions that they don't need."

is anybody still not aware of this?