I am fully aware of what vpn services to use and not. I am not using Express VPN, I am simply doing research for a master thesis, when I came across these results from Express VPN. If you have any ideas or corrections, please let me know why a VPN provider would need to have access to these permissions.
Screenshot is from Exodus service, which let’s you view what exactly perimissions and trackers each app uses. You can check out the results and the tool for yourself here: https://reports.exodus-privacy.eu.org/en/reports/com.expressvpn.vpn/latest/
Camera could be taking pictures of QR codes to make it easier to set up a VPN.
Bluetooth could be integration with things like Yubikeys for authentication.
Dunno if that’s what they’re actually for, though.
Best practices would not require camera permissions to scan qr codes.
https://developer.android.com/privacy-and-security/minimize-permission-requests
I’m going to assume they didn’t implement this because money. Their app runs on everything, from iOS to Android to Windows. Cost savings they likely just flipped camera permissions and didn’t care about small edge cases like these.
With that said, Mullvad is a million times better, cheaper and doesn’t require even an email or account creation to use. They created a system that effectively anonymizes the user before they even subscribe.
5$ per month isnt cheap for a vpn.
Expressvpn is about 10$ a month, so 5$ would definitely be an improvement.
And that’s with the 2 year subscription discount, which makes it $8.50 a month. Mullvad is a flat $5 a month. No subscriptions.
To be fair, they didn’t offer that level of granular control for a while.
If you’re a company with development prioritization that makes it difficult to say “we need to take a few weeks of not working of things that make money to reimplement something we already have that works, because of best practices that don’t make us any money” then it can be really difficult to make changes like that.
You don’t want to scan secure QR codes through Google APIs. You can be at risk of Google stealing the contents.
Then use zxing API
But you’ll need access to the camera then.
Doesn’t it use IPC? So only separately installed barcode scanner needs camera.
Mate, you need to give access rights to someone. The camera won’t open magically. The reality is that it’s safer to do everything inside your app, especially when you advertise security.
That must be a pretty new API, right?
Since 2015 it was possible with Mobile Visions API.
Now it’s included in ML Kit
Wow, that’s wild that I’ve managed to miss that.
Was it possible to run it sans-camera permission back then as well?
Thanks for letting me know about it, anyhow.
Well TIL; thank you for that!
This should not need GMS. This is the flaw with it.
I think you can use some of microG’s APIs without connecting it to google.
It’s just not implemented yet: https://github.com/microg/GmsCore/issues/2018
That’s good, but this post is encouraging wrong conclusion. Camera permission is not the problem, instead the problem is VPN having nothing to do with camera. Using VPN configuration files should be the way, or logging into an account securely (ExpressVPN in this case).
Ah okay that might justify the camera permission, although personally wouldn’t see the need to have that.
Would definitely prefer to see it be an “as needed” basis, like ask every time
That is probably possible, since Android usually asks about that nowadays.
You can often just deny permissions and it will work fine, just nag you sometimes
I don’t imagine express is wireguard under the hood but that’s a pretty common wireguard configuration method.