Slashdot Mirror

← Back to Stories (view on slashdot.org)

Many Android VPN Apps Request 'Dangerous' Permissions They Don't Need (zdnet.com)

Posted by EditorDavid on from the who-watches-the-watchers? dept.

A VPN researcher found that many Android VPN apps request access to sensitive permissions that they don't need, according to an article shared by WaitingForSupport. ZDNet reports: The study, carried out by John Mason from TheBestVPN.com, analyzed 81 Android apps available for download through the Google Play Store. Mason said he downloaded and extracted the permissions requested by each VPN app from their respective APK installer files.... According to Mason, 50 of the 81 Android VPN apps he tested requested access to at least one dangerous permission that accessed user data...

Mason said he discovered VPN apps that requested access to read/write permissions for external device storage, wanted access to precise location data, wanted the ability to read or write system settings, and, in some cases, wanted to access call logs or manage local files. "In theory, VPN apps should only need a few permissions to function. INTERNET and ACCESS_NETWORK_STATE should usually be enough," Mason told us. "The use of a large number of dangerous permissions could be cause for suspicion."

32 of 63 comments (clear)

  1. Tempting packets by rmdingler · · Score: 2

    VPN's are the tech equivalent of burglar bars and a safe.

    You may not have anything of value in there, but it looks like you do.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:Tempting packets by Aighearach · · Score: 1

      You should really get out more.

    2. Re:Tempting packets by thegarbz · · Score: 1

      VPN's are the tech equivalent of burglar bars and a safe.

      You may not have anything of value in there, but it looks like you do.

      Actually it's the tech equivalent of a bank safety deposit box room. You may not have anything of value in there, but if someone goes looking they're overwhelmed with lots of boxes and wouldn't even know where the hell to begin.

      So come at me bro, my IP address is: 185.220.70.138

  2. Some just dumb by aweol · · Score: 1

    The rest exfiltration

  3. Re:You can't save people from themselves by KiloByte · · Score: 1

    For this reason, there's no real option other than demanding the source (and rights to modify and distribute) of every piece of code you run on your machine. In particular, this means no Android (and free forks lack drivers for any modern hardware).

    Only then you can have a possibility of killing phone-home.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  4. Not just VPN apps... by QuietLagoon · · Score: 4, Insightful

    ... nearly every app I look at to install asks for permissions that I know are not necessary for the app to perform its function.

    1. Re:Not just VPN apps... by gweihir · · Score: 1

      Indeed. I recently needed an app to check on GPS status for another app that needs it to be good but provides no indication whether it is (talk about stupid coding...). It took me about 10 tries until I found one that actually only wanted location access but nothing else. The only explanation I have for this mess is clueless users that give apps all the permissions requested.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Not just VPN apps... by Aighearach · · Score: 1

      Then don't install any apps.

      Eventually you'll want features, and you'll be forced to ask: Why? Why do "all" the apps I look to install ask for excess permissions? Is it an inherent feature of apps, or is it merely a typical feature of apps that you get from a certain source?

      And the answer is oh so simple; you're getting apps from Brandybrand(TM) App Store, instead of from F-Droid.

    3. Re:Not just VPN apps... by dargaud · · Score: 2

      What we need are fine-tuned options for access: allow, disallow and fake-it. Most apps check the permissions and ask again (or refuse to run) if you go and disallow some of them. We need a "fake-it" option that the app thinks is 'allow' and that provides fake GPS data, fake (blank or white noise) microphone data, fake network access (extremely long timeouts...), etc...

      --
      Non-Linux Penguins ?
    4. Re:Not just VPN apps... by QuietLagoon · · Score: 1

      ...Then don't install any apps....

      I don't go that far. I am just far more careful about the apps I do install, and use the permission granularity to my bnefit.

  5. READ_EXTERNAL_STORAGE by henryteighth · · Score: 2

    The VPN app I use appears as "suspicious" in this analysis because it uses READ_EXTERNAL_STORAGE. So far as I can tell, this is needed to access downloaded files. The way I configure my VPN connection is to download a config file from a website and import it into the app. The config file includes certificates to a) authenticate me to the server, b) authenticate the server to me. Typing in a long binary string for (a) is not going to work, so the app needs to be able to read downloaded files. I think this counts as "core required functionality" rather than "suspicious behaviour"

    1. Re:READ_EXTERNAL_STORAGE by Aighearach · · Score: 2

      It is needed only to upload files, or to save downloaded files in the Downloads directory instead of the app's private directory.

      Personally, that seems like a huge security risk. I want the VPN to provide the pipe, and only have the permissions for managing the pipe. Uploading and downloading files should be done by other apps, that live on the other side of that pipe.

      It is done for convenience, so you can download the config file normally, and then choose it from a file browser in the VPN app.

      I actually don't even want the app to support changing the config; I bake my config into the APK, and if I need to change it, I generate a new APK from a secure workstation. That's the sort of process you need if you really want security; though you could also just install the config file with adb push.

      Regular users who don't have a continuous integration process that generates the config files should probably not have config files, and just input the settings into the app directly, and use app data backup to prevent most cases of needing to re-enter the data.

    2. Re:READ_EXTERNAL_STORAGE by squiggleslash · · Score: 1

      EXTERNAL STORAGE in this context is the area where all the files you create yourself (such as your photos) gets loaded. It has that name because in early Android phones, the SD card was the only place to do it. Users don't have access to what would be termed "internal" storage in Android, you certainly can't copy arbitrary files to it.

      --
      You are not alone. This is not normal. None of this is normal.
  6. brain bleach connundrum by epine · · Score: 1

    If READ_EXTERNAL_STORAGE is required to simply read a few files from a private configuration directory, the Android security model sucks beyond all possible comprehension.

    Which it might. I would know this already for a real OS, only in this case I'm too afraid to even begin to peek under the hood.

    I stopped installing apps years ago for precisely this reason: what you don't know can hurt you; I don't want to learn the Android security model without brain bleach, and I don't want to learn the Android security model with brain bleach, either.

    Disable apps, no bleach required.

    1. Re:brain bleach connundrum by jaklode · · Score: 2

      That is mostly correct. Unfortunately, if you want to access other files, it's not that easy - think import/export settings. The documentation says to use ACTION_CREATE_DOCUMENT, and that works fine - mostly. On Xiaomi phones, it will just pop up a dialog telling the user to enable external storage permissions. The user can toggle that on in settings - if it's listed in the manifest (that said, you do not have to request the permission in the app at runtime and just leave that crutch for poor MIUI users). So, if you want to do any import/export thing, you need the permission in your manifest, or it won't work on Xiaomi.

    2. Re:brain bleach connundrum by squiggleslash · · Score: 1

      If READ_EXTERNAL_STORAGE is required to simply read a few files from a private configuration directory, the Android security model sucks beyond all possible comprehension.

      Correct, it's pretty awful, it's better than iOS or Windows or Ubuntu, but that's not exactly difficult. The "SD card" or "External storage" is used as a generic file dumping ground, in much the same way your home directory is on every desktop operating system.

      As to why it hasn't been fixed: as usual, the problem is legacy bullshit. Originally Android expected applications to store information that didn't come with the app itself on an external SD card. The external SD card in turn was formatted as FAT. In functionality terms, everything you'd expect to go in your home directory in a desktop OS is stored on the real, or virtual, "external" storage, and so it became the defacto home directory.

      Google slowly integrated the external SD card into the system and changed the file system to something with permissions, but for some reason (presumably because so many existing apps relied upon having carte-blanche access to the SD card) the operating system's permission framework never reflected this. So, just as even the latest version of Windows allows applications to look at every file in your home directory, and the latest version of Ubuntu allows applications to look at every file in your home directory, and macOS lets you... etc... the current Android security model allows applications to have complete access to the "SD card" if you let them. Which is slightly better than those desktop operating systems (at least you can disable access), but not much.

      I'm struggling to think of an OS that does this right at the moment. I don't think there's a single one. Which is depressing because the whole "Every app has access to $HOME" has been a problem long before mobile operating systems were a thing, people used to claim how much better NT was than 95 because "a trojan can't overwrite the OS". Well, sure, no, but the OS isn't what I'm worried about, that part of the system is pretty easy to restore. My home directory? Not so much.

      --
      You are not alone. This is not normal. None of this is normal.
  7. Wannabe security coders by gweihir · · Score: 1

    Coding is already very hard, but coding security critical components is even more so. At the same time, we have coders that are barely computer literate and could not code anything complicated of their life depended on it. The situation is worse wit "apps". Hence it is no surprise at all that VPN apps are generally speaking an insecure mess.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Wannabe security coders by Aighearach · · Score: 1

      I'm not even convinced they're "security" apps, they might just be the "warez" tool of the modern age.

  8. It would be nice ... by PPH · · Score: 1, Interesting

    ... if someone would build a phone OS with something like containers. So you could give an app all the permissions it wants. To do whatever it wants. Inside its own little sandbox.

    --
    Have gnu, will travel.
    1. Re:It would be nice ... by BitterOak · · Score: 2

      ... if someone would build a phone OS with something like containers. So you could give an app all the permissions it wants. To do whatever it wants. Inside its own little sandbox.

      But what is contained in your "sandbox"? Would an app that needs to access your camera and/or microphone or GPS qualify as staying inside its sandbox? If yes, then even a sandboxed app could seriously invade your privacy if it operates in ways you don't expect. If not, then how could any mapping application or telecommunications tool (think Facetime, Skype, etc.) work inside your sandbox?

      --
      If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    2. Re:It would be nice ... by PPH · · Score: 2

      But what is contained in your "sandbox"?

      Whatever I put there. If an app 'demands' access to my camera (or won't run) that I don't feel it needs, it gets a camera emulation with a picture of Mr Potato Head. For a microphone, a WAV file of Nickelback (looped forever).

      --
      Have gnu, will travel.
    3. Re:It would be nice ... by thegarbz · · Score: 1

      ... if someone would build a phone OS with something like containers. So you could give an app all the permissions it wants. To do whatever it wants. Inside its own little sandbox.

      Resulting in what, a phone OS that confuses users with endless options which when they exercise cause random and hard to track breakage in individual app?

  9. Re: You can't save people from themselves by MightyMartian · · Score: 2

    That may be a bit of an exaggeration, but frankly, if it's free and I'm routing my traffic through it because I want an encrypted tunnel, I'm not too sure I'd trust any free service, or even many for-pay services. I've been rolling my own VPNs for about a decade now, mainly using OpenVPN. Yes, it's had the odd hole, and you still have to trust the encryption libraries it uses, but at least I'm creating the keys for the damned thing. I'm not sure I'd put anything on my phone that I need encryption for, mind you.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  10. Stop using Google Play store, use f-droid instead. by Anonymous Coward · · Score: 1

    I don't know why anyone would use apps from the Google Play Store... It's so full of garbage and adware. These days, I pretty much ONLY use apps from f-droid. They do a much better job of tightening up permissions and removing anti-features than anything Google is doing on the app store.

  11. Re:VPN - all your data belong to me. by Aighearach · · Score: 1

    Seriously, are people completely fucking stupid?

    Yes. Seriously.

    Hontony honta, nya.

  12. Clarification by Artem+S.+Tashkinov · · Score: 2

    Let's be completely honest:

    Many Android #What's your favorite topic again?# Apps Request 'Dangerous' Permissions They Don't Need

    And it's not entirely Google's fault. When you download applications for Windows you must also exercise caution and, unlike Android apps, most Windows applications require full access to your PC (some Windows applications even install low level drivers), so with Android you can at least have some control.

    What really annnoys me about Android is that often there's a nice nifty app which requires next to zero permissions and no access to the Internet, and then its developer decides he wants to monetize his app (which has suddenly become relatively popular), and this app suddenly starts showing full screen ads and send your private data God knows where.

  13. Re:And this is news, because? by Aighearach · · Score: 1

    Who's going to say no?

    1) Anyone with a brain
    2) Anyone who knows what a VPN is for
    3) Anyone who knows about F-Droid and has better options.

    I know, I know, that's only a few dozen people, but they're the people who matter.

  14. monkey see monkey do by a+voice+in+the+crowd · · Score: 1

    and google play needs access to everything it asks for?

  15. Chineese VPN by manu0601 · · Score: 1

    I wonder how does it correlates with nationality of the VPN provider.

  16. Re:You can't save people from themselves by currently_awake · · Score: 2

    Android needs 3 permission settings: 1-yes, 2-no, 3-no but lie and give the app fake data.

  17. Play Store = malware by astrofurter · · Score: 1

    Nearly all apps available through the Google Play Store are malware - usually spyware. Android OS is privacy-hostile by design.

  18. drop VPN and still true by sad_ · · Score: 1

    "A researcher found that many Android apps request access to sensitive permissions that they don't need."

    is anybody still not aware of this?

    --
    On a long enough timeline, the survival rate for everyone drops to zero.