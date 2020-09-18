Linus Strandholm/EyeEm/Getty Images



The fact that a virtual private network application (better known as VPN for its acronym in English) is protecting your mobile browsing from prying eyes does not mean that it should access your data or control your operating system. Therefore, before relying on that highly recommended VPN that has a million installations in the Google Play Store, you should know that there is a list of suspicious VPNs for Android, which have more permissions than they really need, which can put your privacy at risk.

In this research (link in English) it all comes down to the number of “normal” permissions and “dangerous” permissions that each application requests. The “normal” permissions are usually granted by Android: they allow applications to remain active while you use them or to connect to the Internet when you tell them to.

“Dangerous” permissions can put your privacy at risk. Some are harmless or required by Android. For example, when an application requests general location data to check if a public Wi-Fi network is reliable. But sometimes “dangerous” permissions include unnecessary requests, such as when an application wants to change your system settings, access the list of your phone calls, or determine your exact location.

As our sister site ZDNet originally highlighted, several popular Android VPN apps have been requesting more permissions than they need (link in English). These are the ones to watch carefully.

Yoga VPN: 6 dangerous permissions

Yoga tops the list with six dangerous permission requests, including knowing the status of your phone. She wants to know your phone number, what cellular network you are on and if you are on a call. What do you need this data for?

It’s hard to say, since Yoga’s privacy policy (373 words) somehow manages to state both that “we do not collect your personal information” and that “we may collect your information when you communicate with us.”

No matter where you find them, you should start avoiding free VPNs. Such is the case with Yoga, which is featured in Top10VPN’s review of the Top 10 Free VPN Apps, indicating that it has very little privacy protection. Another important issue is that we do not know where the headquarters of Yoga is located. We have not been able to find out, as the company has not yet responded to our request for comment.

proXPN VPN: 5 dangerous permissions

Yes, this VPN offers unlimited data transfer and connection time. And yes, it does have a zero logging policy (at least after two weeks, when all logs are supposedly deleted).

But proXPN operates from the United States. That alone is already a deciding factor for not using it. If you’re looking to maximize your privacy, you should generally avoid any VPN based in the US, UK, Canada, Australia, and New Zealand – the so-called “Five Eyes” from the global intelligence community. . The Five Eyes have made an open call for what most people see as the end of online privacy: the installation of a government back door access (backdoor) to private communication technology.

We reached out to proXPN to ask you some questions about the amount of permissions your app requests. But our first question was whether the company was still operating.

The app has not been updated on the Google Play Store since 2017, the company’s two Twitter users are inactive since 2018, many of its site’s security certificates expired in March, an increasing number of user comments they are complaints about not being able to connect, and of the two public phone numbers listed by proXPN, one is no longer working and the other is no longer accepting messages.

Ian Kline, who heads customer service and technical support for proXPN, responded to us and said that the company still provides help to its customers via Facebook and email.

“Regarding the proXPN application, there have been no updates to the application, which is the client side, as we are already working on our servers. We have plans to update the official application soon,” he said in an email.

I asked Kline about risky proXPN permissions, and he answered the following:

“Those permissions are required for the user interface to update the location only on the displayed map, as well as when locking the phone and updating the server locations.”

“And [el usuario] you prefer not to use the official app, you can use the official OpenVPN client that is available from the app store or Strongswan’s official IPsec client if you prefer to use IPsec / IKEv2 VPN, “Kline said by email.

In any case, there is no reason whatsoever to allow proXPN (or any other VPN) to access your phone calls, track every step you take and record information on your SD card, especially when its limited number of servers does not even allow you to transmit anything. by Netflix.

If the notorious story of Hola as a mercenary botnet (network of computer robots, also known as bots) that appropriates the bandwidth of its users has not been enough to convince you that you should be very careful when approaching this VPN, such Maybe you should consider if you like the idea of ​​providing information about the status of your phone (the same as proXPN and Yoga ask for) and that this data is completely unencrypted.

When the scandal broke out botnet, Hola CEO Ofer Vilenski admitted that he was misled by a spammer, but argued that this bandwidth harvesting was typical for this type of service.

“We assume that by stating that Hello is a network [de pares, o peer-to-peer], it was clear that people would be sharing their bandwidth with the community network in exchange for their free service, “he wrote on the company’s blog at the time.

But researchers at Trend Micro issued a warning to potential Hola users late last year, stating that “Hola VPN is not a secure VPN solution, but rather an unencrypted web proxy service.”

oVPNSpider: 4 dangerous permissions

Does OVPNSpider need to access your call logs to function as a VPN? Do you need to know your precise location, save things to your SD card, and be able to change your system settings? No way.

As for its 4.5 star rating on the App Store and 4 stars on the Google Play Store, I’m not very convinced. The Top10VPN Risk Index summary detected DNS leaks, a type of critical security flaw in cheap VPNs that exposes your browsing traffic to your Internet Service Provider. It also indicates that oVPNSpider gave positive results in its malware and adware tests.

We did not receive an immediate response from oVPNSpider when we contacted them for comment.

The final trio: 4 dangerous permissions

SwitchVPN, Zoog VPN, and Seed4.Me VPN all ask for the same thing: they want your specific location data and to be able to read and save information on your SD card. All unnecessary.

We want to highlight the case of Seed4.Me VPN. At least it responded to privacy researchers (link in English), described its use of customer service features, and instructed users on how to disable such permissions (and indicated that these are disabled by default).

And what about SwitchVPN and ZoogVPN? ZoogVPN has received its fair share of praise online, but there are a few things it still has to do before convincing me: You need to make a kill switch available to Android users, tell us how long you keep your usage logs, and change your location. to a country that is not subject to the data retention laws of the European Union, which keep metadata hidden in a similar way to the NSA (the National Security Agency of the United States) in a kind of mass surveillance swamp. Until then, we still have better options.

SwitchVPN told us that requests for permissions to know your location allow it to determine which is the closest server. But while a nearby server is desirable to improve connection speed, this can usually be accomplished by using rough locations rather than pinpointing the exact address of users. SwitchVPN said that users can refuse this permission and that the app “does not send any personal or location data to SwitchVPN.”

“The application requires access to the storage to be able to download the OpenVPN configuration file and connect to it. When using OpenVPN, uploading the configuration file is required in order to connect,” SwitchVPN said in an email. “So I think it’s not fair to say that we collect this data and store it. Because we don’t.”

SwitchVPN has a kill switch, but it is still based in the US, so I don’t recommend it.

ZoogVPN also contacted us.

“Our app does not require any permission that is outside the scope of the VPN service provision,” wrote a spokesperson. “There is nothing else outside of what a VPN app requires to run on an Android device.”

You can check the application’s permission requests by visiting the official Google Play Store page and clicking “View details” at the bottom of the page under “Permissions”.

To stay on top of Top10VPN’s research and analysis of risky permissions apps, visit their website’s August update (link in English).

Who to trust?

I’m glad you asked. Our Favorite Mobile VPN Services They face stiff competition, but so far NordVPN is ahead in 2019. Its strict no-logging, kill switch, and selection of 3,500 servers in more than 61 countries make it hard to beat it.

However, TorGuard is really putting NordVPN in competition. Accept payments through bitcoin and offer an anonymous email address. It’s also getting closer and closer to NordVPN in terms of number of servers, as it recently doubled its offering to more than 3,000.