These 7 Android VPN apps put your privacy at risk. Avoid them at all costs


Linus Strandholm/EyeEm/Getty Images

Just because a virtual private network app protects your mobile browsing from prying eyes, that doesn’t mean it has to swallow your data or control your operating system. So before you trust this highly rated VPN with a million installs on the Google Play Store, be aware that there is a list of shady Android VPNs that get more permissions than they actually need, putting your privacy at risk.

All searches boils down to the number of “normal” permissions and “dangerous” permissions of each application. “Normal” permissions are usually granted by Android – they allow apps to stay awake while in use or to log on when you tell them to.

“Dangerous” permissions can compromise privacy. Some are harmless or required by Android. Like when an app asks for general location data to check if a public Wi-Fi network is reliable. But sometimes “dangerous” permissions include unnecessary requests, such as when an app wants to be able to change your system settings, read your phone call list, or pinpoint your exact location. Uncool.

Read: Best Mobile VPNs: Comparison of Android and iPhone VPNs

As originally pointed out by our sister site ZDNet, a number of popular Android VPN apps got more permissions than they need. Here are the ones to watch out for.

VPN Yoga: 6 dangerous permissions

Yoga tops the list with six dangerous permission requests, including reading your phone’s status. It wants to know your phone number, what cellular network you’re on, and if you’re on a call. Why do they need this data?

It’s hard to say, given the 373 words of Yoga privacy policy somehow includes the statements “we do not collect your personal information” and “we may collect your information when you communicate with us”.

You should already avoid free VPNs, no matter where you find them. This is true for Yoga, which found itself in The Top10VPN review free apps with too few privacy protections. But for Yoga to be truly found, it would have to know where its seat is. We would help, but we couldn’t find out either since he hasn’t yet responded to our request for comment.

Read more: NordVPN vs ExpressVPN: Speed, Security and Price Compared

proXPN VPN: 5 dangerous permissions

Yes, this VPN offers unlimited data transfer and connection time. And yes, it has a zero logs policy (at least after two weeks when logs are supposed to be burned).

But proXPN is based in the United States. This alone is a deciding factor. Any VPN based in the US, UK, Canada, Australia and New Zealand – the so called “Five Eyes“intelligence community – should generally be avoided if you are looking to maximize your privacy. Five Eyes openly calls for what most people see as the end of online privacy via the installation of backdoor access government in private communication technology.

We reached out to proXPN to ask them a few questions about the number of permissions their app requests. But the first question was whether the business was still running.

The app hasn’t been updated on Google Play since 2017, the company’s two Twitter handles have died since 2018, many of its site’s security certificates have expired since March, a growing number of reviews users are complaining that they cannot log in, and of the two public phone numbers listed, one is no longer in service and the other is no longer accepting messages.

Ian Kline, who heads up customer service and technical support for proXPN, responded and said the company is still supporting customers via Facebook and email.

“As for the proXPN app, there have been no updates on the client-side app since we are already working on our servers. We plan to update the official app soon,” a- he said in an email.

I asked Kline about proXPN’s risky permissions, and he said:

“These permissions are needed for the UI to update the location only on the displayed map as well as when locking the phone and when updating locations from the server,” Kline said in the e-mail. mail. “If you don’t prefer to use the official app, you can use the official OpenVPN client available in the App Store or the official Strongswan IPsec client if you prefer to use IPsec/IKEv2 VPN.”

Either way, there’s no reason to let proXPN (or any other VPN) access your phone calls, track your every step, and write to your SD card when its limited number of servers can’t even allow you to stream Netflix.

Read more: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)

If Hola’s notorious history as a bandwidth-hogging mercenary botnet wasn’t enough to make you approach this VPN with caution, then just decide if you’re ok with giving it your status data. phone (same as proXPN and Yoga ask) and having that the data is completely unencrypted.

Around the time the botnet scandal broke, Hola CEO Ofer Vilenski admitted it was a “spammer”, but argued that this bandwidth harvesting was typical of this type of service.

“We assumed that by declaring Hola to be a [peer-to-peer] network, it was clear that people were sharing their bandwidth with the community network in exchange for their free service,” he wrote on the company blog at the time.

But researchers from Trend Micro offered a warning to potential Hola users late last year, stating that “Hola VPN is not a secure VPN solution – rather it is an unencrypted web proxy service”.

oVPNSpider: 4 dangerous permissions

Does oVPNSpider need access to your call logs to work as a VPN? Does it need to have your precise location, put stuff on your SD card, be able to change your system settings? Absolutely not.

What about oVPNSpider’s 4.5 star rating on App Store and 4 star rating on Google Play? I am not convinced. Top10VPN Risk Index Summary detected DNS leaks, a type of critical security flaw in cheap VPNs that exposes your browsing traffic to your internet service provider. He also said that oVPNSpider tested positive for malware and adware.

We did not receive an immediate response from oVPNSpider when we asked for comment.

The final trio: 4 dangerous permissions

SwitchVPN, ZoogVPNand Seed4.Me VPN they’re all asking for the same things: they want specific location data about you, and they want to read and write data to your SD card. All useless.

We have Seed4.Me VPN to thank. at least that responded to privacy researchersdescribed its use of customer support features and instructed users on how to disable permissions (noting that permissions are disabled by default).

But SwitchVPN and ZoogVPN? ZoogVPN has received a lot of praise online, but before I can endorse it, it needs to do a few things: make a kill switch available to Android users, tell us how long it keeps usage logs, and not be located in a country with the EU data retention laws that preserve NSA-like troves of metadata in a mass surveillance swamp. Until then we can still do better.

Requests for location permissions, SwitchVPN told us, needed to identify the server closest to the user. But while a closer server is desirable for connection speed, this can usually be accomplished by using more approximate locations rather than identifying the users exact address. SwitchVPN said users can deny permission and the app “does not send any personal or location data to SwitchVPN.”

“The app requires storage access to be able to download the OpenVPN configuration file and connect to it. As we are using OpenVPN, the configuration file must be loaded to connect,” SwitchVPN said in an email. “So I think it’s not fair to mention like we collect that data and store it with us. Like we don’t.”

SwitchVPN has a kill switch but it’s still based in the US so I’ll pass.

ZoogVPN also responded to us.

“Our app does not require any permissions that fall outside of providing VPN services,” a spokesperson wrote. “There is nothing more than what a VPN app needs to work on an Android device.”

You can check the app’s permission requests by visiting the official Google Play Store page and clicking “Show details” at the bottom of the page under “Permissions”.

For a fresh look at Top10VPN’s investigation and research of apps with risky permissions, visit August website update.

Who to trust?

Glad you asked. Our favorite mobile VPN services are in a tight race against each other, but so far NordVPN in the head. Its strict no-logs policy, kill switch, and selection of 3,500 servers in over 61 countries make it hard to beat.

TorGuardComment really gives NordVPN a run for its money, though. It accepts payment via bitcoin and offers anonymous email. It’s also narrowing the gap with NordVPN in terms of server count, having recently doubled its offerings to over 3,000.

Editor’s note, February 9, 2022: The VPN industry has undergone significant change over the past few months, with our top three VPN picks announcing major changes in company ownership. In December, ExpressVPN announced that it had officially joined Kape Technologies, a company that already owns several other VPNs and has raised privacy concerns in the past. In February, NordVPN and Surfshark announced that the two companies were merging, although they will continue to operate independently. We are in the process of re-evaluating all of our top picks in light of these changes. We will update our reviews and, if necessary, our rankings to reflect this new competitive landscape.

Now Playing:
Look at this:

VPN explained: An introduction to privacy – with bots and racing…


Originally published in 2019. Updated periodically with new information.


About Author

Comments are closed.