Granting permissions to apps takes a certain level of trust—trust that an app is honest about the parts of your phone’s hardware and operating system it has access to, and what it does with the data therein. Trust is especially crucial with VPN apps, the point of which is to obfuscate your mobile internet activity from unwanted data snoops.
The last thing you need is an app that should be protecting your identity leaking out important information.
In the spirit of that transparency, the folks at The Best VPN performed an audit into the permissions asked by 81 Android VPN apps available in the Google Play Store. What they found is unsettling: several readily available VPN apps may be accessing more data than they should be.
How bad is it, doc?
The Best VPN’s team pulled the permissions directly from the .apk file for each app they tested. These permissions were sorted into two categories: Normal (safe, commonly requested permissions with no privacy concerns) and dangerous (unusual requests that could potentially compromise user’s data and identity).
They also made sure to note how many custom permissions an app asks for, which can be counted either normal or dangerous depending on what the app is seeking access to. The apps were then assessed based on how many dangerous permissions were requested.
The good news is that many of the apps are on the relatively safe side, with 31 not asking for any potentially compromising permissions from the user or the OS. 50 apps, however, asked for at least one dangerous permission, and eight were identified as unsafe—meaning they asked for four or more unnecessary permissions.
Yoga VPN and oVPNSpider had the highest number of unnecessary permissions, including highly sensitive information like specific location data, access to your phone’s status, and read/write permissions for both internal and external storage.
oVPNSpider even asks for access to read your log files, which The Best VPN notes was previously disabled for third-party app due to the high level of security risks associated with access to such files. Other Android VPNs deemed unsafe by The Best VPN’s testing are:
Conversely, the safest VPNs (those with zero dangerous permissions) were almost all premium apps. Of those, the VPNs with the lowest total permissions asked were Torguard, with just one safe permission total, AstrillVPN with two, and LiquidVPN with three (none of these asked for custom permissions either, for what it’s worth).
The full results for each app tested can be accessed in spreadsheet form here.
What to do about potentially dangerous app permissions
To be fair, the scope of The Best VPN’s research results doesn’t include why the apps need access to these requested features and data, nor what they’re doing with any potentially gathered info. Still, that these permissions are being requested at all is questionable at best.
No VPN app needs access to your SD card storage so it can read and write data, for instance, but many ask to do that very thing. And even if they’re ultimately innocent requests, the more places your data is being stored means more places from where it can be accidentally leaked.
If you’re ever dubious about what your Android VPN—or any other app—has access to on your phone, here’s how you can check:
Tap and hold the app’s icon, then tap the “Info” icon.
You’ll see a list of all the permissions the app has asked for, and which ones have been okayed by either you or the Android OS. You can change each permission by tapping the slider next to it.
Alternatively, you can open the Settings app then go to Apps & Notification > Advanced > App Permissions, then tap the specific permissions type to see which apps have access. You can revoke previously granted access from here by tapping the slider next to an app’s name.
Keep in mind that changing app permissions may cause the app to not work as intended, disable some features, and may even prevent the app from being usable in the first place.
You should delete apps that ask for permissions that make you uncomfortable.