VPN is one of those technologies that constantly finds itself at the receiving end of critical scrutiny, which has unfortunately given it a bad rep that continues to plague its viability.
Over the past couple of years, several studies have revealed that a majority of VPN apps (especially the free ones) had one or more deficiencies (that ranges from DNS leaks to excessive or dangerous permissions) that cripple their integrity as well as their effectiveness.
And just when we thought that the situation could not reach new lows, we encountered new findings that are just as alarming as previous studies. VPN expert, John Mason of the TheBestVPN, carried out an in-depth study on the security and privacy implications of android VPN permissions asked by a total of 81 VPN android apps. Unsurprisingly enough, the results proved beyond doubt that the level of incompetence, negligence, and decadence in this market is still on the high. Also, both studies justify Google’s latest efforts to rid Google Play of malicious or users’ data security defaulting apps.
Before we dive into the nitty-gritty of John’s study, it is crucial to first understand the concept of permissions and why you need to take them seriously.
What Are Android Permissions?
Permissions are put in place to ensure that users control the amount of information and settings an app or service provider can access. Basically, there are two types of Android permissions as described by Google in one of its publications for developers. They are normal permissions and dangerous permissions. From its name, normal permissions are the basic access the app needs to function. In most cases, our devices grant apps normal permissions autonomously without our inputs.
On the other hand, dangerous permissions allow apps to access data and settings that could jeopardize the user’s privacy. Apparently, they are often the ones that pop up on our screens after we install an app which allows us to grant or deny the app access to one or more functionalities. Needless to say, indiscriminately agreeing to dangerous permissions could also compromise your system’s operations.
From the result of the study, it was discovered that a considerable number of Android VPN apps sought for dangerous permissions that do not correlate with their normal operations, particularly the android.permission.WRITE_EXTERNAL_STORAGE and READ_EXTERNAL_STORAGE.
The former allows the app to access the files in the device’s SD card while the latter grants apps the authorization to input data into the external storage.
High Security And Privacy Risks Linked Permissions
More interestingly, 27 of the 81 VPN apps requested for the read and write to external storage permissions that could put a dent on users’ privacy. Other permissions that the author classifies as high security and privacy risks permissions that VPN apps use include:
- ACCESS_FINE_LOCATION: It explicitly allows the app to log the location of the user. Unfortunately, this defeats the very essence of a VPN as it should serve as a tool to cloak one’s location from prying eyes. Out of the 81 VPN apps under review, a total of 9 apps fell into this category.
- Write_Settings: This permit authorizes the app to make changes to the system setting, which also puts the users at risk of becoming a victim of various security and privacy threats. The author noted that 3 VPNs sought for permissions that would let them configure the operating system’s settings.
The Third Party Restricted Permissions
According to the author, there were some permissions that Google does not recommend for third-party apps as they pose a considerable level of risk to users.
However, some VPN apps violated these recommendations, which further justifies the call for a global standard in the VPN market. These permissions are as follows:
- Manage_Documents: The permission allows an app to have the same access and functionalities as the default document management app on the device. Although third-party apps are ideally not allowed to request for such permission, yet, one VPN was found to request for it.
- Read_Logs: Like the Manage_Documents permission, the Read_Logs is also not recommended for third party use, as it enables the app to access files from the system’s low-level logs that could contain the private details of the user.
Summary Of The Study
The study reviewed a total of 81 VPN apps and found 8 suspicious or dangerous android VPN permissions that do not relate to the primary functionalities of VPNs.
On the bright side, a total of 31 of the 81 VPN apps had no record of dangerous permissions, however, this does not take anything away from the disturbing revelation that each VPN app asked for an average of 11 android VPN permissions. This is unacceptable as noted by the author who argued that, ideally, VPNs require few permissions to function properly.
In light of the result of this study, it is safe to say that some VPN providers are nonchalant to the implications of their actions, especially bad press. It also brings to the fore the fact that users should look beyond the name or popularity of a VPN when considering the best VPN to adopt.