I am fully aware of what vpn services to use and not. I am not using Express VPN, I am simply doing research for a master thesis, when I came across these results from Express VPN. If you have any ideas or corrections, please let me know why a VPN provider would need to have access to these permissions.
Screenshot is from Exodus service, which let’s you view what exactly perimissions and trackers each app uses. You can check out the results and the tool for yourself here: https://reports.exodus-privacy.eu.org/en/reports/com.expressvpn.vpn/latest/
Camera could be taking pictures of QR codes to make it easier to set up a VPN.
Bluetooth could be integration with things like Yubikeys for authentication.
Dunno if that’s what they’re actually for, though.
Best practices would not require camera permissions to scan qr codes.
https://developer.android.com/privacy-and-security/minimize-permission-requests
To be fair, they didn’t offer that level of granular control for a while.
If you’re a company with development prioritization that makes it difficult to say “we need to take a few weeks of not working of things that make money to reimplement something we already have that works, because of best practices that don’t make us any money” then it can be really difficult to make changes like that.
That must be a pretty new API, right?
Since 2015 it was possible with Mobile Visions API.
Now it’s included in ML Kit
Wow, that’s wild that I’ve managed to miss that.
Was it possible to run it sans-camera permission back then as well?
Thanks for letting me know about it, anyhow.
You don’t want to scan secure QR codes through Google APIs. You can be at risk of Google stealing the contents.
Then use zxing API
But you’ll need access to the camera then.
Doesn’t it use IPC? So only separately installed barcode scanner needs camera.
Mate, you need to give access rights to someone. The camera won’t open magically. The reality is that it’s safer to do everything inside your app, especially when you advertise security.
Well TIL; thank you for that!
Removed by mod
I think you can use some of microG’s APIs without connecting it to google.
It’s just not implemented yet: https://github.com/microg/GmsCore/issues/2018
Removed by mod
Ah okay that might justify the camera permission, although personally wouldn’t see the need to have that.
Would definitely prefer to see it be an “as needed” basis, like ask every time