An In-Depth Analysis on Safe and Dangerous Android App Permissions

Last updated: August 22, 2019
Muhammad Hamza Shahid

Muhammad Hamza Shahid

Muhammad Hamza Shahid is an online privacy/security advocate at BestVPN.co, who loves sharing his expert knowledge regarding the latest trends in user privacy, cyber laws, and digital affairs. Apart from writing blogs/articles relating to anonymity, he also writes detailed VPN reviews.

 

When it comes to selecting a VPN, users need to be aware of certain technicalities. You need to test each tool for leak issues, analyze their logging policies, identify their physical and virtual locations, and learn if they support advanced features like obfuscation a.k.a. StealthVPN, onion over VPN, and DoubleVPN.

More importantly, users need to learn about the complexities concerning these tools and the app “Permissions” they require, particularly if you are looking for the Best VPN for Android . Typically, the purpose of permissions is to help Android users protect their privacy by either granting or disallowing access.

According to Android Developers, permissions fall into two groups:

Normal

These permissions do not have any risks attached to them. Subsequently, they are usually granted automatically by the system to the app.

You can disable them, but this may cause errors when using a particular Android software. Users will constantly have to deny access to the permission.

Dangerous

As the name implies, these permissions could potentially affect a device’s normal operation or the privacy of users. Suspicious apps may automatically grant access.

However, in most circumstances, the user must explicitly agree to grant those permissions. Albeit, you need to be careful when dealing with VPNs and the permissions they require.

 

Commonly Asked Permissions by VPN Apps

Different apps may require varied permissions for miscellaneous purposes. Depending on what a particular app does and how it functions, you may need to grant access to different permissions.

If I talk about VPNs specifically though, you may come across some COMMON “permissions”. I have represented them in this table below for reference.

Red = Dangerous – permissions that compromise system operation or user privacy.

Green = Normal – permissions granted by the Android system automatically.

Your Android system will grant access to VPN apps on permissions, such as android.permission.ACCESS_NETWORK_STATE and Android.permissions.INTERNET.

These are completely normal and necessary, as they give VPNs the ability to establish an connection to the internet, making identity cloaking possible.

However, others in the list like android.permission.ACCESS_FINE_LOCATION and android.permission.ACCESS_COARSE_LOCATION can be considered dangerous.

They could be used to identity your REAL location, while others argue these permissions help notify users when connected to a new “Wi-Fi” not listed in “Trusted Networks”.

This permission then advises the user to activate the VPN to keep their identity hidden, protecting them from untrusted networks!

 

An In-Depth Analysis of “Dangerous” Permissions

You probably have a decent idea about normal and dangerous permissions by now. However, there are plenty required by VPN apps that can be quite deceiving too.

I decided to go a little deeper into the subject. For instance, some permissions can be harmless, asking the ability to cause the phone to vibrate or push app notifications.

Others may have benign purposes like requesting access to a coarse location, while some have no legitimate purpose in a VPN app, like WRITE_SETTINGS.

This allows VPN application to write the system settings or READ_LOGS, ranting apps to analyze and go through low-level system log files, which they use for whatever devious purposes.

To give you a better idea, I decided to list down the apps with the most dangerous/suspicious permissions. Refer to the table for more information:

Explanations of Suspicious Permissions

I understand that comprehending what each permission asks for can be incredibly tough. This is why I have explained each permission below, so that you have a better idea on which ones affect your privacy!

1. DUMP

Not for use by third-party applications. Allows an app to retrieve state dump data from system services.

  1. Used by PureVPN
  2. Permission: permission.DUMP

2. MANAGE_DOCUMENTS

Cannot be granted to third-party apps. Allows VPN apps to manage/access documents, which should only be requested by the platform document management app.

  1. Used by TigerVPN
  2. Permission: permission.MANAGE_DOCUMENTS

3. READ_LOGS

Not for use by third-party applications. Allows VPN apps to read low-level system log files. Directly affects your privacy.

  1. Used by two apps: oVPNSpider and TigerVPN
  2. Permission: permission.READ_LOGS

4. WRITE_SETTINGS

Enables VPN applications to read and write the system settings. It poses a high risk to your digital privacy/security.

  1. Used by 2 apps: Yoga VPN, Speedify
  2. Permission: permission.WRITE_SETTINGS

5. ACCESS_FINE_LOCATION

Enables a VPN application to access the precise location of a user. It poses a high risk to your digital privacy/security.

  1. Used by 9 apps: ZoogVPN, HolaVPN, DashVPN, SwitchVPN, oVPNSpider, Seed4Me, ProXPN, VPN Unlimited, Yoga VPN.
  2. Permission: permission.ACCESS_FINE_LOCATION

6. ACCESS_COARSE_LOCATION

Allows VPN applications to use mobile data or Wi-Fi (or both) for determining the device’s location. Potential risk to privacy.

7. READ_PHONE_STATE

Enables VPN apps to access phone number, cellular network information, and status of any ongoing calls. Not required by a VPN to work.

  1. Used by 18 apps: HolaVPN, ibVPN, Hotspot Shield, DashVPN, Speedify, Kaspersky VPN, SurfEasy, McAfee VPN, TouchVPN, GooseVPN, ProXPN, AVG VPN, HideMyAss, YogaVPN, VPN One Click, Norton Secure, Free VPN org, Avira VPN.
  2. Permission: permission.READ_PHONE_STATE

8. WRITE_EXTERNAL_STORAGE

     READ_EXTERNAL_STORAGE

Allows VPNs to read/write external storage. Not required for regular VPN function and could compromise the user’s privacy.

  1. Used by 27 apps: ZoogVPN, VPN Secure, Surfshark, HolaVPN, NordVPN, Hotspot Shield, DashVPN, TigerVPN, Psiphon, SurfEasy, McAfee VPN, Turst.Zone, SwitchVPN, TouchVPN, SpyOFF, GooseVPN, oVPNSpider, Seed4Me, ProXPN, AppVPN, Yoga VPN, VPN One Click, StarVPN, X-VPN, OneVPN, Free VPN org, Betternet.
  2. Permission: permission.WRITE_EXTERNAL_STORAGE and READ_EXTERNAL_STORAGE

Wrapping Things Up

As you can see, selecting a VPN involves more than just looking for recommendations. You need to know exactly how different providers operate, and that is exactly what I try doing here at BestVPN.co.

I have already created guides on jurisdictions, leak issues, logging policies, obfuscation, fake (virtual) locations, and transparency reports. It is your job to understand all these aspects in conjunction with app permissions.

This way, you will not need people like me to tell you what is a suitable option for you. Users can do their due diligence themselves, which can, in turn, help them learn more about online privacy and why it’s necessary.

I hope all this information comes in handy to my viewers. Nevertheless, if you have any questions/queries, do not hesitate to drop a comment below. Also, feel free to share the guide with other privacy-conscious individuals.

 

Leave a Reply

Your email address will not be published. Required fields are marked *