Android VPN Permissions – 2019 Study

Rob Mardisalu

Rob Mardisalu

Extensive study on Android VPN apps and their permissions asked. Written by TheBestVPN team.
Last checked: 4th of March, 2019

Android VPN premissionsThe purpose of a permission is to protect the privacy of an Android user.

According to Android documentation for app developers, permissions fall into two groups – normal and dangerous.

  • Normal permissions – Don’t pose risk to the user’s privacy and are granted automatically by the system to the app.
  • Dangerous permissions – Could potentially affect user’s privacy or the device’s normal operation, the user must explicitly agree to grant those permissions.

As a VPN user, you want your VPN to not ask any kind of dangerous permissions that are not needed for the VPN app to function or which can compromise your privacy.

In this study, 81 Android VPN apps were evaluated based upon the permissions that they request.

Our goal was to find out the most commonly used permissions by the VPN apps as well as the questionable and more suspicious permissions that are either not needed for the VPN app to work or are violating the user’s privacy or security.

All of the tested apps were downloaded from the Google Play store and the permissions lists were extracted directly from the app’s .apk file. Here’s a more detailed Google spreadsheet with all the permissions from the tested Android VPN apps.

Most Commonly Asked Permissions By VPNs

Android has a variety of different permissions for different purposes. Depending on what an app wants to do and how it does it, it may need a different set of permissions. Table 1 shows the most common permissions requested by the VPN apps in this study.

Table 1. Most commonly requested permissions for Android VPN apps.

  • Green: Normal – permissions granted automatically by the Android system.
  • Red: Dangerous – permissions that compromise user’s privacy or system (user must agree).




Allows VPN applications to open network sockets.


Allows VPN applications to access information about networks.


For keeping device awake.


To notify if device restart is completed.


Allows VPN applications to access information about Wi-Fi networks.


For in-app billing purposes.


Push notifications.


Gives the VPN developers information on how the users arrived to the app before installing.


Allows VPN to write to external storage, such as SD.


Allows VPN to read from external storage, such as SD.


For keeping the VPN application running.


Allows read only access to phone state, including the phone number of the device, current cellular network information and the status of any ongoing calls.


Allows the API to use WiFi or mobile cell data (or both) to determine the device’s location.


Allows VPN applications to change Wi-Fi connectivity state.


Allows VPN app to access users precise location.


Many of the permissions above are needed for a VPN to function, these include getting access to Internet, checking your connection status and keeping your app awake. These are completely normal and shouldn’t cause any worry. They are listed as “normal” by the Android developers.

Some permissions, such as android.permission.INTERNET and android.permission.ACCESS_NETWORK_STATE was granted to all of the VPN apps automatically.

However, in this list, there were also “dangerous” permissions that could potentially compromise Android user privacy, these were related to getting access to your precise location, device name, your phone number and reading your SD card.

Reply from Alex (Seed 4 Me VPN):

The location permission required to get name of Wi-Fi networks. In our application we have a “Trusted Networks” feature. The application notifies users when they are connected to a new Wi-Fi network and if the network is not in the list of Trusted Networks then the app advises user to use the VPN. It’s a useful feature for privacy protection, especially when you are connected to a free Wi-Fi in a hotel or cafe.Android operating system requires the permission since Android 9, previous versions of our application didn’t require the permission. The application asks for the permission at the start screen and has the message explaining why it requires the permission. If user does not want to use “Trusted Networks” feature, then he can either don’t give the access on the starting screen or later disable the access to our application to this feature in system settings (Settings > Apps & Notifications > Seed4.Me VPN > Permissions > Location). All other features of the application will work just
The permissions to read and write from external storage required to collect error log. We have 24/7 support and if application does not work as expected then users can collect logs for tech. support by long press on “Support” button. The application will ask if the user wants to enable log collection and if user agrees then application will save its log to external drive. User can reproduce the issue and press “Support” button again to send an email to our support team. The log will be automatically attached to the email and removed from external storage.

The application does not request the permissions until the user wants to collect the logs. By default the permission is Disabled for the application and other features of the application does not require them. If user collected logs once then he can disable access in settings (Settings > Apps & Notifications > Seed4.Me VPN > Permissions > Storage).

A Look Into “Dangerous” Permissions

Once we had identified all the permissions of each 81 VPNs (including the common ones), we filtered out permissions that were not needed for a VPN app to function and can potentially harm the user’s privacy.

Many of the VPN apps reviewed in this study ask for permissions that are not needed for a VPN to function.

Some permissions are fairly harmless. Like the ability to cause the phone to vibrate or push app notifications.

However others are more suspicious. While these permissions can be used for benign purposes (i.e. requesting access to coare location is a way to get the name of a WiFi network for handling reconnections), they also have the ability to compromise the user’s privacy.

Others have no legitimate purpose in a VPN app, like WRITE_SETTINGS which allows VPN app to write the system settings or READ_LOGS, which allows VPN app to read the low-level system log files.

Table 2. Apps with most suspicious/dangerous permissions

VPN Name # of dangerous permission Exact permission name
Yoga VPN

Google Play link

6 android.permission.ACCESS_FINE_LOCATION


Google Play link

5 android.permission.ACCESS_FINE_LOCATION

Hola Free VPN

Google Play link

4 android.permission.READ_PHONE_STATE
Seed4.Me VPN

Google Play link

4 android.permission.ACCESS_FINE_LOCATION


Google Play link

4 android.permission.ACCESS_FINE_LOCATION


Google Play link

4 android.permission.ACCESS_FINE_LOCATION

Zoog VPN

Google Play link

4 android.permission.ACCESS_FINE_LOCATION


Most concerning permissions were used by the Yoga VPN app (5+ million installs on Google Play) and oVPNSpider that asked permissions to read and write system settings, get access to your phone state and your exact location with ability to read and write to SD which are not required for a VPN app to work.

Another notable permission used by oVPNSpider and tigerVPN is the READ_LOGS permission. This permission is no longer available to third-party apps (like VPNs) due to privacy concerns, and the app should not be requesting it at all.

Below are explanations of suspicious permissions asked by Android VPN apps:


Allows VPN to read and write to external storage – not needed for a VPN app to function and could compromise user’s privacy.

  • Permission: android.permission.WRITE_EXTERNAL_STORAGE and READ_EXTERNAL_STORAGE
  • Used by the following 27 VPN apps: Betternet, Free VPN org, OneVPN, X-VPN, StarVPN, VPN One Click, Yoga VPN, AppVPN, ProXPN, Seed4me VPN, oVPNSpider, Goose VPN, SpyOFF, TouchVPN, SwitchVPN, Trust Zone, McAfee VPN, SurfEasy, Psiphon, TigerVPN, Dash VPN, Hotspot Shield, NordVPN, Hola VPN, SurfShark, VPN Secure, Zoog VPN.

Allows VPN read only access to phone state, including the phone number of the device, current cellular network information and the status of any ongoing calls – not needed for a VPN to work.

  • Permission: android.permission.READ_PHONE_STATE
  • Used by the following Android 18 VPN apps: Avira VPN, Free VPN org, Norton Secure VPN, VPN One Click, Yoga VPN, HideMyAss, AVG VPN, ProXPN, Goose VPN, Touch VPN, McAfee VPN, SurfEasy, Kaspersky VPN, Speedify, Dash VPN, Hotspot Shield, ibVPN, Hola VPN.

Allows VPN to use WiFi or mobile cell data (or both) to determine the device’s location – potential privacy risk.

  • Permission: android.permission.ACCESS_COARSE_LOCATION
  • Used by the following 16 VPN apps: WindScribe, Free VPN org, Yoga VPN, HideMyAss, Avast VPN, AVG VPN, iVPN, ProXPN, oVPNSpider, TouchVPN, SwitchVPN, Kaspersky VPN, Psiphon VPN, Speedify, Dash VPN, Zoog VPN .

Allows a VPN app to access user’s precise location – high privacy risk. 


Allows VPN app to to read or write the system settings – high security and privacy risk.


Allows VPN app to read the low-level system log files. Not for use by third-party applications, because Log entries can contain the user’s private information – high privacy risk.


Allows VPN application to manage access to documents, usually as part of a document picker. This permission should only be requested by the platform document management app. This permission cannot be granted to third-party apps.


Allows an application to retrieve state dump information from system services. Not for use by third-party applications.

The Results

In the last table, we are listing out all the VPNs we tested and their permissions in total, custom permissions and suspicious permissions.

Table 3. VPN apps ranked by requested permissions

VPN name .apk file name Suspicious Permissions Total Permissions Custom Permissions
Yoga VPN com.yogavpn 6 13 2
ProXPN com.proxpn.proxpn 5 16 5
Dash VPN com.actmobile.dashvpn 5 14 2
Seed 4 Me 4 17 4
oVPNSpider com.ovpnspider 4 8 0
SwitchVPN com.switchvpn.ovpn 4 12 3
Hola org.hola 4 15 1
Zoog VPN 4 13 2
Free VPN org org.freevpn 3 12 2
VPN One Click 3 7 0
Goose VPN com.goosevpn.gooseandroid 3 11 3
TouchVPN com.northghost.touchvpn 3 14 3
SurfEasy com.surfeasy 3 14 3
Psiphon VPN com.psiphon3.subscription 3 11 0
Speedify com.speedify.speedifyandroid 3 12 1
TigerVPN com.tigeratwork.tigervpn 3 9 1
Hotspot Shield VPN 3 16 3
ibVPN com.ibvpn.client 3 8 0
Betternet com.freevpnintouch 2 16 4
OneVPN com.dave.onevpnfresh 2 9 2
Windscribe com.windscribe.vpn 2 14 2
X-VPN 2 13 2
Star VPN com.peach.vpn 2 10 2
HideMyAss com.hidemyass.hidemyassprovpn 2 19 6
Avg VPN 2 19 6
SpyOFF 2 5 0
PureVPN com.gaditek.purevpnics 2 21 6
Trust Zone 2 5 0
Mcafee Safe Connect 2 10 2
Kaspersky VPN 2 17 4
SurfShark 2 14 4
VPN Secure 2 9 1
Ivacy com.ivacy 1 11 2
Avira Phantom VPN com.avira.vpn.AviraVPNApplication 1 13 1
Norton Secure VPN 1 13 3
Thunder VPN 1 9 3
AppVPN appvpn.vpn 1 8 2
Avast VPN 1 19 7
VPN In Touch 1 9 2
iVPN net.ivpn.client 1 6 0
VPN Unlimited com.simplexsolutionsinc.vpn_unlimited 1 17 4
OpenVPN de.blinkt.openvpn 1 5 0
Hide My IP com.hidemyip.hideme 1 10 1
PrivateVPN com.pvpn.privatevpn 1 7 0
VPN Area com.vpnarea 1 5 0
AirVPN org.airvpn.eddie 1 4 0
Anonymous VPN com.aprovpn.openvpn 1 4 0
NordVPN 1 14 4
Private Internet Access 1 5 0
VPN ac ac.vpn.androidapp 1 5 1
StrongVPN com.strongvpn 0 5 0
Hoxx VPN com.hoxxvpn.main 0 3 0
TurboVPN free.vpn.unblock.proxy.turbovpn 0 7 2
VPN Master 0 7 2
Disconnect Me com.disconnect.samsungcontentblocker 0 3 1
HexaTech tech.hexa 0 12 4
CyberGhost de.mobileconcepts.cyberghost 0 11 4
AstrillVPN com.astrill.astrillvpn 0 2 0
Torguard net.torguard.openvpn.client 0 6 0
UltraSurf 0 1 0
ProtonVPN 0 5 0
VPN 360 co.infinitysoft.vpn360 0 6 2
F-Secure VPN 0 10 2
IPVanish com.ixolit.ipvanish 0 5 0
Browsec VPN com.browsec.vpn 0 8 2
Cactus VPN 0 8 2
Private Tunnel net.openvpn.privatetunnel 0 6 0
Buffered VPN com.buffered.vpn 0 4 0
LiquidVPN com.liquidvpn.liquidvpn 0 3 0
BlackVPN com.blackvpn 0 7 2
Hotspot VPN 0 5 0
DotVPN com.dotvpn.vpn 0 5 0
ZenMate 0 12 4
Encrypt Me com.stackpath.cloak 0 10 3
ExpressVPN com.expressvpn.vpn 0 10 2
SaferVPN 0 8 2
FastestVPN com.vpn.fastestvpnservice 0 6 2
VPNHub com.appatomic.vpnhub 0 9 3
VPN Tunnel 0 8 2
VyprVPN 0 8 2

Link to spreadsheet of all the permissions asked by the VPNs.

In theory, VPN apps should only need a few permissions to function. INTERNET and ACCESS_NETWORK_STATE should usually be enough.

However, as an average, 11 permissions are asked per VPN app.

Android provides a wide variety of possible permission for applications to take advantage of. However, there is also the potential for apps to define their own permissions as well. In many cases, these permissions are benign, like allowing an app to talk to the maker’s cloud systems (a commonly requested one for these apps).

Higher up the table are VPN apps that have the most dangerous permissions that could affect user’s privacy. Especially Yoga VPN, ProxPN and TigerVPN

However, the use of a large number of dangerous permissions could be cause for suspicion.

When selecting and installing a VPN app on Android, paying attention to permissions is important. Read the description and think about whether the app really needs the ability to record you in order to provide a VPN service. Some of the apps from the biggest companies turned out to be the most suspicious in this study, so you can’t just trust the big names.