It wasn’t very long ago that I revealed that most free VPN services are provided as a front for the big corporations running them to collect user that. Spurred by the findings of that study, I decided to dig deeper to see how much of a threat, especially when it comes to user data, Android VPN services in general are – The results were shocking.
62 Percent of Android VPN Apps Ask for Dangerous Permissions
When it comes to the issue of data abuse, especially when it comes to mobile devices, it is important to realize where the real issue lies: permissions you give to the VPN apps you install on your device.
The official Android developers’ documentation classifies app permissions into two categories:
- Normal permissions that are required for an app to function.
- Dangerous permissions that could put user privacy at risk.
The real problem, however, lies in VPNs requesting you to grant them dangerous permissions that are not required for their app to function.
Based on a study of the 81 most popular VPN apps on Android at TheBestVPN, we found that a whopping 62 percent of all VPN apps require dangerous permissions that they do not need to provide you with the service you need.
Just take a moment to let that sink in: 62 percent of Android VPN apps would ask you to give them access to dangerous permissions that they do not need to function.
Unlike with our last study, we’re not even talking free VPNs this time around. We’re talking premium VPNs that require you to pay to use their services.
Major premium VPN culprits that require the most dangerous permissions include:
- ProXPN — a premium VPN service that starts at $9.99 per month (requiring 5 dangerous permissions).
- SwitchVPN — a premium VPN service that starts at $5.95 per month (requiring 4 dangerous permissions).
- ZoogVPN — a premium VPN that starts at $6.99 per month (requiring 4 dangerous permissions).
The table below shows the top culprits (free and paid):
It gets even interesting. The biggest premium VPN brands are not exempt:
- Speedify VPN — with over 1 million installs (requiring 3 dangerous permissions)
- Windscribe — with over 1 million installs (requiring 2 dangerous permissions)
- Mcafee Safe Connect — with over 500,000 installs (requiring 2 dangerous permissions)
- Avast VPN — with over 10 million installs (requiring 1 dangerous permission)
- NordVPN — with over 5 million installs (requiring 1 dangerous permission)
- HideMyAss VPN — with over 1 million installs (requiring 1 dangerous permission)
- Norton Secure VPN — with over 1 million installs (requiring 1 dangerous permission)
- PureVPN — with over 1 million installs (requiring 1 dangerous permission)
- Private Internet Access — with over 1 million installs (requiring 1 dangerous permission)
What Types of Dangerous Permissions Are These Apps Requesting?
Dangerous permissions some of these VPN apps require include:
- android.permission.WRITE_EXTERNAL_STORAGE — which helps an app to write to the external storage.
- android.permission.READ_EXTERNAL_STORAGE — which helps an app read from the external storage.
- android.permission.READ_PHONE_STATE — which helps an app read your device and network information.
- android.permission.ACCESS_COARSE_LOCATION and android.permission.ACCESS_FINE_LOCATION which helps an app determine your location.
Our research goes into full details about the exact permissions each of the 81 apps requires, what the permissions are for and which are unnecessary. I also created a spreadsheet that organizes and categorizes each of the VPNs based on the number of permissions required. Needless to say, the above permissions are unnecessary, yet the most popular VPNs (including NordVPN, Private Internet Access, Windscribe, and Avast VPN) require one or more of them.
Should You Stop Using These VPNs Altogether?
Some VPNs are more reliable than others; we know that some top premium VPNs like Private Internet Access have in the past been subpoenaed by the FBI and had nothing to hand over, and they’re highly unlikely to abuse access based on their antecedents. However, the permissions they are requesting isn’t necessary for their app to function — they should have no reason to request it.
The fact that top VPNs like ExpressVPN, ProtonVPN, CyberGhost, and TorGuard are able to function without requesting any dangerous permission also shows that these permissions are not in any way needed for a VPN app to function.
While we won’t go as far as recommending that you stop using the VPNs affected, we believe reaching out to them (directing them to this article) and asking them to make necessary changes can go a long way towards making the VPN industry saner while protecting your privacy.