I am fully aware of what vpn services to use and not. I am not using Express VPN, I am simply doing research for a master thesis, when I came across these results from Express VPN. If you have any ideas or corrections, please let me know why a VPN provider would need to have access to these permissions.
Screenshot is from Exodus service, which let’s you view what exactly perimissions and trackers each app uses. You can check out the results and the tool for yourself here: https://reports.exodus-privacy.eu.org/en/reports/com.expressvpn.vpn/latest/
Camera could be taking pictures of QR codes to make it easier to set up a VPN.
Bluetooth could be integration with things like Yubikeys for authentication.
Dunno if that’s what they’re actually for, though.
Best practices would not require camera permissions to scan qr codes.
Scan barcodes
Android includes support for the Google Code Scanner API, powered by Google Play services, which allows you to decode barcodes without declaring any camera permissions. This API helps preserve user privacy and makes it less likely that you need to create a custom UI for your barcode-scanning use case.
The API scans the barcode and only returns the scan results to your app. Images are processed on-device, and Google doesn’t store any data or scan results.
https://developer.android.com/privacy-and-security/minimize-permission-requests
To be fair, they didn’t offer that level of granular control for a while.
If you’re a company with development prioritization that makes it difficult to say “we need to take a few weeks of not working of things that make money to reimplement something we already have that works, because of best practices that don’t make us any money” then it can be really difficult to make changes like that.That must be a pretty new API, right?
Since 2015 it was possible with Mobile Visions API.
Now it’s included in ML Kit
Wow, that’s wild that I’ve managed to miss that.
Was it possible to run it sans-camera permission back then as well?
Thanks for letting me know about it, anyhow.
You don’t want to scan secure QR codes through Google APIs. You can be at risk of Google stealing the contents.
Then use zxing API
But you’ll need access to the camera then.
Doesn’t it use IPC? So only separately installed barcode scanner needs camera.
Mate, you need to give access rights to someone. The camera won’t open magically. The reality is that it’s safer to do everything inside your app, especially when you advertise security.
Well TIL; thank you for that!
Removed by mod
I think you can use some of microG’s APIs without connecting it to google.
It’s just not implemented yet: https://github.com/microg/GmsCore/issues/2018
Removed by mod
Ah okay that might justify the camera permission, although personally wouldn’t see the need to have that.
Would definitely prefer to see it be an “as needed” basis, like ask every time
Wait, are you the same guy I asked for access to your draft when you’re done?
How is the paper going? Will you also be covering self-hosted VPNs in your thesis? Also, SSL-VPNs seem to be coming up nicely, so if you’re interested in obfuscation, that might be interesting to you! Can’t wait to read what you’re cooking!
Hahah thats me! :P (lemmy is a small world) My main focus is most likely going to be free vpn’s and the risk of using them. I have to limit the scope quite a bit and want to cover areas that are not that well properly documented… yet…
But thanks for the tips! I will defo read up on it and see wheter or not I can have a “alternatives” section towards the end.
Edit -> This research paper might feed your temporary needs :P https://www.usenix.org/system/files/usenixsecurity23-ramesh-vpn.pdf
Thanks, downloaded! Keep up the excellent work!
I use Express VPN and the camera permission is relatively new as I don’t have it enabled and it’s never asked me prior to enable it. I dug through the app and found it within their new password manager when you add a new credentials it offers you to help setup 2FA with the major providers and you can optionally scan a QR code with it so it’s a benign convenience feature.
Bluetooth on the other hand I cannot explain unless it’s to proxy any connections Bluetooth devices might make.
thanks for the insights :)
Dunno about Bluetooth, but isn’t Expressvpn pushing their new password manager? I imagine it’s a separate app, but if not, then it would make sense to have camera to read 2FA QR-codes.
Edit: from their site:
Keys comes included in any ExpressVPN subscription and is built right in to our apps for iOS and Android.
Yup, that’s got to be the camera. Still not sure about the Bluetooth though.
There are Bluetooth FIDO security keys out there for 2FA, like: https://thetis.io/products/fido2-ble-security-key. Some implementations can also use a phone, running an app via BLE. Not sure if they use it, but that could be one reason it’s asking for that permission.
Camera permission may be needed for scanning QRCodes to set up 2FA.
If handfuls of youtube sponsor callout videos has been proof of, is that you should never use a service advertised on youtube.
I prefer mullvad. Not only is their pricing and account system much more privacy focused, they are a European (Swedish) company and are bound by the laws of my country by default. Another European one is surfshark (Dutch) which I used before. I trust mullvad more though. They also have open source clients and had no user data stored when they were raided once before.
Edit: clarifying the reason I used surfshark. I used it back when I was in high school a few years ago, so their 3 year plan seemed like a very good price. They also supported this very obscure VPN protocol whose name I can’t remember, and my school just so happened to have forgotten to block it on their network. But I couldn’t use that protocol on Linux due to incomplete connection steps provided by surfshark, and I switched to using linux full time in the second half of my first year, so that was a waste and I just used my mobile data.
They also push the envelope on privacy, and frequently publish security reports.
deleted
In the mobile space, there are Chinese calculators apps on Androids by manufacturers that require internet access…
Oof
