I am fully aware of what vpn services to use and not. I am not using Express VPN, I am simply doing research for a master thesis, when I came across these results from Express VPN. If you have any ideas or corrections, please let me know why a VPN provider would need to have access to these permissions.

Screenshot is from Exodus service, which let’s you view what exactly perimissions and trackers each app uses. You can check out the results and the tool for yourself here: https://reports.exodus-privacy.eu.org/en/reports/com.expressvpn.vpn/latest/

Link to Image

  • BuddyTheBeefalo
    link
    fedilink
    arrow-up
    67
    arrow-down
    2
    ·
    1 year ago

    Best practices would not require camera permissions to scan qr codes.

    Scan barcodes

    Android includes support for the Google Code Scanner API, powered by Google Play services, which allows you to decode barcodes without declaring any camera permissions. This API helps preserve user privacy and makes it less likely that you need to create a custom UI for your barcode-scanning use case.

    The API scans the barcode and only returns the scan results to your app. Images are processed on-device, and Google doesn’t store any data or scan results.

    https://developer.android.com/privacy-and-security/minimize-permission-requests

    • meseek #2982@lemmy.ca
      link
      fedilink
      arrow-up
      28
      arrow-down
      1
      ·
      edit-2
      1 year ago

      I’m going to assume they didn’t implement this because money. Their app runs on everything, from iOS to Android to Windows. Cost savings they likely just flipped camera permissions and didn’t care about small edge cases like these.

      With that said, Mullvad is a million times better, cheaper and doesn’t require even an email or account creation to use. They created a system that effectively anonymizes the user before they even subscribe.

    • ricecake@sh.itjust.works
      link
      fedilink
      arrow-up
      10
      ·
      1 year ago

      To be fair, they didn’t offer that level of granular control for a while.
      If you’re a company with development prioritization that makes it difficult to say “we need to take a few weeks of not working of things that make money to reimplement something we already have that works, because of best practices that don’t make us any money” then it can be really difficult to make changes like that.

    • Aux@lemmy.world
      link
      fedilink
      arrow-up
      11
      arrow-down
      3
      ·
      1 year ago

      You don’t want to scan secure QR codes through Google APIs. You can be at risk of Google stealing the contents.

          • uis@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            Doesn’t it use IPC? So only separately installed barcode scanner needs camera.

            • Aux@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              Mate, you need to give access rights to someone. The camera won’t open magically. The reality is that it’s safer to do everything inside your app, especially when you advertise security.