New Study Shows That Little Has Changed on the Android VPN Permissions Front

Last updated July 30, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Two months ago, we tapped onto the matter of VPN apps on the Android platform, and how they fair against privacy, security, and permission granting policy standards. Unfortunately, only 17 out of the total 150 that were tested were deemed as “safe”, while 38% of them asked for privacy-undermining permissions during installation. A similar study conducted by John Mason, researcher of “TheBestVPN”, shows that unfortunately, not much has changed on what permissions most Android VPN apps ask for when being installed on a device. This is an especially alarming fact, as the developers of the particular VPN apps clearly show that they are not affected by negative publicity and criticism.

The way Android handles the app permission granting, all permissions that are considered dangerous for the device’s normal operation and the user’s privacy are for the user to decide through a relevant dialog. Whatever other permissions are required by the app for its normal operation are granted by the operating system automatically. The most popular “dangerous” permission asked by Android VPN apps is that of writing to and reading from an external storage medium such as an SD card. This permission was requested by 27 out of the total 81 Android VPN apps. Another 18 ask for permission to read the phone state (full network information), 16 request API access for determining the device’s location (coarse), and another nine ask for “fine-location” (precise) determination. Now, why would a VPN app need to get your precise location in order to offer its services?

According to the study’s findings, the most suspicious VPN apps are:

The Yoga VPN, which tops the list of the most concerning apps counts over five million installs on Google Play and has an outstanding user rating of 4.7. OvpnSpider with over a million installations and a rating of 4.1 is also deemed especially dangerous by the researchers. All of these apps are freely available, so gathering and selling user data could be (and potentially is) a shady way for them to stay in business. However, not only apps from unreliable developers ask for dangerous permissions, as the list contains products from well-known and trust anti-virus solution vendors. Kaspersky, Avira, Avast, Norton, McAfee, and AVG are all included in the list, asking for the granting of one or two dangerous permissions. Now, this doesn’t mean that they are doing this with a malicious purpose, but I’m sure they could still offer their services without risking user privacy. Our own pick and a long-time suggestion that is ExpressVPN is vindicating us through this study as well, requesting no dangerous permissions from the user.

Do you think that Google should scrutinize apps based on the number and type of permissions they are asking in order to kick them out of the Store, or do you believe that users should be solely responsible for what they choose to install on their devices? Share your thoughts in the comments section beneath, and don’t forget to like and subscribe on our socials as well, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: