I am fully aware of what vpn services to use and not. I am not using Express VPN, I am simply doing research for a master thesis, when I came across these results from Express VPN. If you have any ideas or corrections, please let me know why a VPN provider would need to have access to these permissions.

Screenshot is from Exodus service, which let’s you view what exactly perimissions and trackers each app uses. You can check out the results and the tool for yourself here: https://reports.exodus-privacy.eu.org/en/reports/com.expressvpn.vpn/latest/

Link to Image

  • winterayars@sh.itjust.works
    link
    fedilink
    arrow-up
    168
    arrow-down
    1
    ·
    1 year ago

    Camera could be taking pictures of QR codes to make it easier to set up a VPN.

    Bluetooth could be integration with things like Yubikeys for authentication.

    Dunno if that’s what they’re actually for, though.

    • BuddyTheBeefalo@lemmy.ml
      link
      fedilink
      arrow-up
      66
      arrow-down
      2
      ·
      1 year ago

      Best practices would not require camera permissions to scan qr codes.

      Scan barcodes

      Android includes support for the Google Code Scanner API, powered by Google Play services, which allows you to decode barcodes without declaring any camera permissions. This API helps preserve user privacy and makes it less likely that you need to create a custom UI for your barcode-scanning use case.

      The API scans the barcode and only returns the scan results to your app. Images are processed on-device, and Google doesn’t store any data or scan results.

      https://developer.android.com/privacy-and-security/minimize-permission-requests

      • meseek #2982@lemmy.ca
        link
        fedilink
        arrow-up
        27
        arrow-down
        1
        ·
        1 year ago

        I’m going to assume they didn’t implement this because money. Their app runs on everything, from iOS to Android to Windows. Cost savings they likely just flipped camera permissions as don’t worry about the small edge cases like these.

        With that said, Mullvad is a million times better, cheaper and doesn’t require even an email or account creation to use. They created a system that effectively anonymizes the user before they even subscribe.

      • ricecake@sh.itjust.works
        link
        fedilink
        arrow-up
        9
        ·
        1 year ago

        To be fair, they didn’t offer that level of granular control for a while.
        If you’re a company with development prioritization that makes it difficult to say “we need to take a few weeks of not working of things that make money to reimplement something we already have that works, because of best practices that don’t make us any money” then it can be really difficult to make changes like that.

  • meseek #2982@lemmy.ca
    link
    fedilink
    arrow-up
    89
    arrow-down
    4
    ·
    1 year ago

    I don’t get why the entire world isn’t on Mullvad.

    I don’t trust these guys at all. I trialed them and despite their full money back guarantee, they locked me into a support loop, always switching support staff with boiler plate responses and links that dealt with account issues or whatever. It wasn’t until I left a stern reply demanding the refund or I would escalate the matter with the proper regulatory bodies.

    It took 4 support tickets. To me, they came across hella shady.

        • synestia@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          You can set up a VPS and tunnel that to your minecraft server using wireguard some iptables magic if you’re into Linux.

        • nickiam2@aussie.zone
          link
          fedilink
          arrow-up
          0
          arrow-down
          1
          ·
          1 year ago

          AirVPN still has port forwarding. They are run by a non profit activist group and you can use it without their app. Works with openvpn and wireguard natively.

    • kryllic@programming.dev
      link
      fedilink
      arrow-up
      17
      arrow-down
      2
      ·
      1 year ago

      Dilly dilly, Mullvad is great. I prefer it over ProtonVPN just for how lightweight and simple it is

    • xenspidey@lemmy.zip
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      5
      ·
      1 year ago

      I know this isn’t popular but I really like Nord. I’ve been with them for years before the ad campaigns that turned people off. Mullvad can use wireguard so I may look at them again at some point, but the Linux cli client for Nord is really solid and picks the fastest server in whatever region you like.

      • meseek #2982@lemmy.ca
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        Wireguard is insanely fast. Like insanely fast compared to traditional VPN connections. For me that is an absolute dealbreaker they don’t have it.

        Once you start using Wireguard you can’t go back.

        • SokathHisEyesOpen@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Thanks for the update. I just checked them out and they seem like they have a lot of servers. They’re almost double what I paid for Nord. Is there enough of a difference to consider switching? My Nord subscription doesn’t expire for five more months though.

    • rwhitisissle@lemmy.ml
      link
      fedilink
      arrow-up
      1
      arrow-down
      8
      ·
      1 year ago

      Worst thing about mullvad is they only offer like 5 devices or so for your subscription. If they bumped it up to 7 or 8 I’d have no complaints.

        • rwhitisissle@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          I didn’t say it was unreasonable. I just think it would be nice to have a couple more. I’m usually running out on the devices I run and have to proactively prune connections from machines that might, at the moment, not be using them. What I really wish is that it had tiers: like paying 1 euro for each available connection, versus just “5 euros and 5 connections” - I don’t need 10 full connections, but I’d be happy paying 7 euros for 7 connections.

  • Nollij@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    50
    arrow-down
    1
    ·
    1 year ago

    What kind of VPN would need those permissions?

    The one that Edward Snowden (yes, that one) publicly and explicitly called out that people shouldn’t use. I won’t rehash it here, but it’s worth reading about.

  • Captain Beyond@linkage.ds8.zone
    link
    fedilink
    arrow-up
    31
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Not an endorsement of ExpressVPN, I’ve learned to avoid companies that sponsor on youtube. However, I believe you don’t need the proprietary app to use the service, you could use a free software OpenVPN client such as this one.

    They do offer support for OpenVPN although, unsurprisingly, they heavily push their proprietary client as the preferred way to use the service. This alone would be enough to discourage me from using it or recommending it.

  • fubarx@lemmy.ml
    link
    fedilink
    arrow-up
    29
    arrow-down
    1
    ·
    1 year ago

    There are Bluetooth FIDO security keys out there for 2FA, like: https://thetis.io/products/fido2-ble-security-key. Some implementations can also use a phone, running an app via BLE. Not sure if they use it, but that could be one reason it’s asking for that permission.

    Camera permission may be needed for scanning QRCodes to set up 2FA.

  • ekky43@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    27
    ·
    1 year ago

    Dunno about Bluetooth, but isn’t Expressvpn pushing their new password manager? I imagine it’s a separate app, but if not, then it would make sense to have camera to read 2FA QR-codes.

  • Omega_Haxors@lemmy.ml
    link
    fedilink
    arrow-up
    29
    arrow-down
    3
    ·
    1 year ago

    If handfuls of youtube sponsor callout videos has been proof of, is that you should never use a service advertised on youtube.

  • thepiguy@lemmy.ml
    link
    fedilink
    arrow-up
    19
    arrow-down
    3
    ·
    edit-2
    1 year ago

    I prefer mullvad. Not only is their pricing and account system much more privacy focused, they are a European (Swedish) company and are bound by the laws of my country by default. Another European one is surfshark (Dutch) which I used before. I trust mullvad more though. They also have open source clients and had no user data stored when they were raided once before.

    Edit: clarifying the reason I used surfshark. I used it back when I was in high school a few years ago, so their 3 year plan seemed like a very good price. They also supported this very obscure VPN protocol whose name I can’t remember, and my school just so happened to have forgotten to block it on their network. But I couldn’t use that protocol on Linux due to incomplete connection steps provided by surfshark, and I switched to using linux full time in the second half of my first year, so that was a waste and I just used my mobile data.