Slashdot Mirror

← Back to Stories (view on slashdot.org)

Many Android VPN Apps Request 'Dangerous' Permissions They Don't Need (zdnet.com)

Posted by EditorDavid on from the who-watches-the-watchers? dept.

A VPN researcher found that many Android VPN apps request access to sensitive permissions that they don't need, according to an article shared by WaitingForSupport. ZDNet reports: The study, carried out by John Mason from TheBestVPN.com, analyzed 81 Android apps available for download through the Google Play Store. Mason said he downloaded and extracted the permissions requested by each VPN app from their respective APK installer files.... According to Mason, 50 of the 81 Android VPN apps he tested requested access to at least one dangerous permission that accessed user data...

Mason said he discovered VPN apps that requested access to read/write permissions for external device storage, wanted access to precise location data, wanted the ability to read or write system settings, and, in some cases, wanted to access call logs or manage local files. "In theory, VPN apps should only need a few permissions to function. INTERNET and ACCESS_NETWORK_STATE should usually be enough," Mason told us. "The use of a large number of dangerous permissions could be cause for suspicion."

11 of 63 comments (clear)

  1. Tempting packets by rmdingler · · Score: 2

    VPN's are the tech equivalent of burglar bars and a safe.

    You may not have anything of value in there, but it looks like you do.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

  2. Not just VPN apps... by QuietLagoon · · Score: 4, Insightful

    ... nearly every app I look at to install asks for permissions that I know are not necessary for the app to perform its function.

    1. Re:Not just VPN apps... by dargaud · · Score: 2

      What we need are fine-tuned options for access: allow, disallow and fake-it. Most apps check the permissions and ask again (or refuse to run) if you go and disallow some of them. We need a "fake-it" option that the app thinks is 'allow' and that provides fake GPS data, fake (blank or white noise) microphone data, fake network access (extremely long timeouts...), etc...

      --
      Non-Linux Penguins ?
  3. READ_EXTERNAL_STORAGE by henryteighth · · Score: 2

    The VPN app I use appears as "suspicious" in this analysis because it uses READ_EXTERNAL_STORAGE. So far as I can tell, this is needed to access downloaded files. The way I configure my VPN connection is to download a config file from a website and import it into the app. The config file includes certificates to a) authenticate me to the server, b) authenticate the server to me. Typing in a long binary string for (a) is not going to work, so the app needs to be able to read downloaded files. I think this counts as "core required functionality" rather than "suspicious behaviour"

    1. Re:READ_EXTERNAL_STORAGE by Aighearach · · Score: 2

      It is needed only to upload files, or to save downloaded files in the Downloads directory instead of the app's private directory.

      Personally, that seems like a huge security risk. I want the VPN to provide the pipe, and only have the permissions for managing the pipe. Uploading and downloading files should be done by other apps, that live on the other side of that pipe.

      It is done for convenience, so you can download the config file normally, and then choose it from a file browser in the VPN app.

      I actually don't even want the app to support changing the config; I bake my config into the APK, and if I need to change it, I generate a new APK from a secure workstation. That's the sort of process you need if you really want security; though you could also just install the config file with adb push.

      Regular users who don't have a continuous integration process that generates the config files should probably not have config files, and just input the settings into the app directly, and use app data backup to prevent most cases of needing to re-enter the data.

  4. Re:brain bleach connundrum by jaklode · · Score: 2

    That is mostly correct. Unfortunately, if you want to access other files, it's not that easy - think import/export settings. The documentation says to use ACTION_CREATE_DOCUMENT, and that works fine - mostly. On Xiaomi phones, it will just pop up a dialog telling the user to enable external storage permissions. The user can toggle that on in settings - if it's listed in the manifest (that said, you do not have to request the permission in the app at runtime and just leave that crutch for poor MIUI users). So, if you want to do any import/export thing, you need the permission in your manifest, or it won't work on Xiaomi.

  5. Re: You can't save people from themselves by MightyMartian · · Score: 2

    That may be a bit of an exaggeration, but frankly, if it's free and I'm routing my traffic through it because I want an encrypted tunnel, I'm not too sure I'd trust any free service, or even many for-pay services. I've been rolling my own VPNs for about a decade now, mainly using OpenVPN. Yes, it's had the odd hole, and you still have to trust the encryption libraries it uses, but at least I'm creating the keys for the damned thing. I'm not sure I'd put anything on my phone that I need encryption for, mind you.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  6. Clarification by Artem+S.+Tashkinov · · Score: 2

    Let's be completely honest:

    Many Android #What's your favorite topic again?# Apps Request 'Dangerous' Permissions They Don't Need

    And it's not entirely Google's fault. When you download applications for Windows you must also exercise caution and, unlike Android apps, most Windows applications require full access to your PC (some Windows applications even install low level drivers), so with Android you can at least have some control.

    What really annnoys me about Android is that often there's a nice nifty app which requires next to zero permissions and no access to the Internet, and then its developer decides he wants to monetize his app (which has suddenly become relatively popular), and this app suddenly starts showing full screen ads and send your private data God knows where.

  7. Re:It would be nice ... by BitterOak · · Score: 2

    ... if someone would build a phone OS with something like containers. So you could give an app all the permissions it wants. To do whatever it wants. Inside its own little sandbox.

    But what is contained in your "sandbox"? Would an app that needs to access your camera and/or microphone or GPS qualify as staying inside its sandbox? If yes, then even a sandboxed app could seriously invade your privacy if it operates in ways you don't expect. If not, then how could any mapping application or telecommunications tool (think Facetime, Skype, etc.) work inside your sandbox?

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  8. Re:It would be nice ... by PPH · · Score: 2

    But what is contained in your "sandbox"?

    Whatever I put there. If an app 'demands' access to my camera (or won't run) that I don't feel it needs, it gets a camera emulation with a picture of Mr Potato Head. For a microphone, a WAV file of Nickelback (looped forever).

    --
    Have gnu, will travel.
  9. Re:You can't save people from themselves by currently_awake · · Score: 2

    Android needs 3 permission settings: 1-yes, 2-no, 3-no but lie and give the app fake data.