Analysis of the request for inappropriate credentials in VPN applications for Android

Thebestvpn edition, which specializes in comparing different VPN providers,  has  analyzed the credentials requested by VPN applications delivered in the Google Play catalog. Look super vpn review, its better app! 

The study found that  most  of the proven Android applications requested credentials that were not related to the VPN functionality.

In particular, 50 of the 81 tested VPN applications requested access to user data. Despite the fact that the VPN application has sufficient INTERNET and ACCESS_NETWORK_STATE privileges, many applications have requested access to the following APIs:

• Reading and writing to external media: Betternet, Free VPN org, OneVPN, X-VPN, StarVPN, VPN One Click, Yoga VPN, AppVPN, ProXPN, Seed4me VPN, oVPNSpider, Goose VPN, SpyOFF, TouchVPN, SwitchVPN, Trust Zone, McAfee VPN, SurfEasy, Psiphon, TigerVPN, Dash VPN, Hotspot Shield, NordVPN, Hola VPN, SurfShark, VPN Secure, Zoog VPN;

• Get information about the exact location of the user: Yoga VPN, VPN Unlimited, ProXPN, Seed4me VPN, oVPNSpider, SwitchVPN, Dash VPN, Hola VPN, Zoog VPN;

• Getting information about the approximate location: (WindScribe, Free VPN org, Yoga VPN, HideMyAss, Avast VPN, AVG VPN, iVPN, ProXPN, oVPNSpider, TouchVPN, SwitchVPN, Kaspersky VPN, Psiphon VPN, Speedify, Dash VPN, Zoog VPN);

• Download phone information (phone number, mobile operator, outgoing call status): Avira VPN, Free VPN org, Norton Secure VPN, VPN One Click, Yoga VPN, HideMyAss, AVG VPN, ProXPN, Goose VPN, Touch VPN, McAfee VPN, SurfEasy, Kaspersky VPN, Speedify, Dash VPN, Hotspot Shield, ibVPN, Hola VPN;

• Ability to change system settings:, Speedify, Yoga VPN;

• Access to system logs (including call logs): TigerVPN, oVPNSpider;

• Access to user documents: TigerVPN;

• Ability to load a dump with the state of system services: PureVPN.

In terms of the number of dangerous powers, Yoga VPN is the leader (request for access to 6 advanced APIs), with 5 million installations. In second place is proXPN VPN (5). Third place was shared by Hola Free VPN (4), Seed4.Me VPN (4), OvpnSpider (4), SwitchVPN (4) and Zoog VPN (4).

Recall that a study of 283 mobile applications conducted in 2017 with implementations of VPN functions showed that 18% of them did not use encryption (traffic was sent in clear), 84% allowed IPv6 traffic to bypass the tunnel created, 66% directly sent DNS queries, 16% for the purpose of optimization, modified transit HTTP user traffic (for example, to trans code images), two applications substituted their advertisements into transit traffic, one application sent requests to online stores to a partner service, four installed in your root certificates to intercept HTTPS-connections.

About the author

Hello everybody! I dedicated this blog to applications and games that I think deserve attention. I hope you will be interested! Enjoy :)

Leave a Reply

Your email address will not be published. Required fields are marked *