Just because a Virtual Private Network (VPN) app is shielding your mobile browsing from prying eyes, doesn’t mean it needs to slurp up your data or control your operating system. So before you trust that highly-rated VPN with a million installs on the Google Play Store, know that there’s a list of shady Android VPNs that grab more permissions than they actually need, putting your privacy at risk.
All the research boils down to each app’s number of “normal” permissions and “dangerous” permissions. “Normal” permissions are usually granted by Android — they let apps stay awake during use or get online when you tell them to.
“Dangerous” permissions can compromise privacy. Some are harmless or required by Android. Like when an app asks for general location data to check whether a public WiFi network is trusted. But sometimes “dangerous” permissions include unnecessary requests, like when an app wants to be able to change your system settings, read your list of phone calls, or pinpoint your exact location. Not cool.
As originally highlighted by our sister site ZDNet, a number of popular Android VPN apps have been grabbing more permissions than they need. Here are the ones to watch.
Yoga VPN – 6 dangerous permissions
Yoga tops the list with six requests for dangerous permissions, including reading your phone state. It wants to know your phone number, what cell network you’re on, and whether you’re on a call. Why do they need this data?
You should already be avoiding free VPNs no matter where you find them. That holds true for Yoga, which found itself in Top 10 VPN’s analysis of free apps with too few privacy protections. But for Yoga to really find itself, it would have to know where its headquarters are. We’d help, but we haven’t been able to find out either since they have not yet responded to our request for comment.
proXPN VPN – 5 dangerous permissions
Yes, this VPN offers unlimited data transfer and connection time. And yes, it has a zero-log policy (at least after two weeks, when the logs are supposedly torched).
But proXPN is based out of the US. That alone is a dealbreaker. Any VPN based out of the US, UK, Canada, Australia and New Zealand — the so-called “Five Eyes” intelligence community — should generally be avoided if you’re looking to max out your privacy. Five Eyes openly calls for what most people consider an end to online privacy via the installation of government backdoor access into private communication technology.
We reached out to proXPN to ask a few questions about the number of permissions its app requests. But the first question was whether the company was still operating.
The app hasn’t been updated on Google Play since 2017, the company’s two Twitter handles have been dead since 2018, many of their site’s security certificates have been expired since March, a growing number of user reviews complain about being unable to connect, and of the two public phone numbers listed, one is no longer in operation and the other is no longer accepting messages.
Ian Kline, who heads up proXPN customer service and technical support, did respond and said the company is still assisting customers via Facebook and email.
“Regarding the proXPN app, there were no updates on the app which is the client-side since we are already working on our servers. We have plans to update the official app soon,” he said in an email.
I asked Kline about proXPN’s risky permissions, and he said:
“Those permissions are needed for the UI to update the location only on the map shown as well as when locking the phone and when updating server locations,” Kline said in the email. “If you don’t prefer to use the official app you can use the official OpenVPN client which is available in the app store or the official IPsec client from Strongswan if you prefer on using IPsec/IKEv2 VPN.”
Regardless, there’s no reason to let proXPN (or any other VPN) access your phone calls, track your every footstep and write to your SD card when their limited number of servers can’t even get you to stream Netflix.
If Hola’s notorious history as a bandwidth-borrowing mercenary botnet wasn’t enough to make you approach this VPN with caution, then just decide whether you’re cool with giving them your phone state data (the same thing proXPN and Yoga ask for) and having that data be totally unencrypted.
Back when the botnet scandal broke, Hola CEO Ofer Vilenski admitted they’d been had by a “spammer,” but contended this harvesting of bandwidth was typical for this kind of service.
“We assumed that by stating that Hola is a [peer-to-peer] network, it was clear that people were sharing their bandwidth with the community network in return for their free service,” he wrote on the company’s blog at the time.
But researchers from Trend Micro offered a warning to would-be Hola users late last year, stating “Hola VPN is not a secure VPN solution — rather, it is an unencrypted web proxy service.”
oVPNSpider – 4 dangerous permissions
Does oVPNSpider need access to your call logs for it to function as a VPN? Does it need to have your precise location, to put stuff on your SD card, to be able to change your system settings? Absolutely not.
As for oVPNSpider’s 4.5-star rating from the App Store, and 4-star rating from Google Play? I’m not convinced. Top 10 VPN’s risk index summary detected DNS leaks, a type of critical security flaw in cheap VPNs which exposes your browsing traffic to your internet service provider. It also said oVPNSpider tested positive for malware and adware.
We did not get an immediate response from oVPNSpider when we reached out for comment.
The final trio – 4 dangerous permissions
We do have to give a shout-out to Seed4.Me VPN. At least they responded to privacy researchers, described their use of the features for customer support, and instructed users on disabling permissions (noting the permissions are disabled by default).
But SwitchVPN and ZoogVPN? ZoogVPN has seen a good amount of praise online, but before I can sign off on it, it needs to do a few things: make a killswitch available for Android users, tell us how long they’re keeping usage logs, and not be located in a country with EU data retention laws which preserve NSA-like troves of metadata in a mass surveillance swamp. Until then, we can still do better.
The location permissions requests, SwitchVPN told us, were to nail down the closest server to the user. But while a closer server is desirable for connection speed, that can usually be accomplished using more approximate locations rather than pinpointing the users exact address. SwitchVPN did say users can disallow permission, and that the app “does not send any personal or location data to SwitchVPN.”
“The app requires access to storage so that it can download the OpenVPN configuration file and connect to it. As we use OpenVPN, it requires configuration file to be loaded in order to connect,” SwitchVPN said in an email. “So I think it’s not fair to mention as if we collect this data and store with us. As we do not.”
SwitchVPN has a killswitch but it’s still US-based, so I’ll pass.
ZoogVPN got back to us also.
“Our app does not require any permissions that are outside the scope of VPN service provision,” they wrote. “There is nothing over and above of what a VPN app requires to function on an Android device.”
Users can look at the app’s permissions requests by visiting the official Google Play Store page and clicking “View details” at the bottom of the page under “Permissions”.
For a fresh look at Top10VPN’s investigation and research into apps with risky permissions, readers can visit the site’s August update.
Who to trust?
Glad you asked. Our favorite mobile VPN services are in a tight race against each other, but so far NordVPN has the lead in 2019. Its strict no-logging policy, kill switch, and selection of 3,500 servers in more than 61 countries make it hard to beat.
TorGuard is really giving NordVPN a run for its money, though. It accepts payment via bitcoin and offers an anonymous email. It’s also closing the gap against NordVPN in terms of server count, having recently doubled its offerings more to than 3,000.
Originally published Sept. 09, 07:00 a.m. EST.
Update, 9:01 p.m.: Adds comment from SwitchVPN and ZoogVPN