Why Android VPN applications do not use BIND_VPN_SERVICE?

Question

I am analyzing Android VPN applications(e.g., Hola**) permissions usage. It is stated, as far as Google official manual(http://developer.android.com/reference/android/Manifest.permission.html), that a VPN application must use BIND_VPN_SERVICE permission but Hola does not stat it in its Manifest file. I want to know why it does not use this permission and how it (or in general VPN apps) offers VPN service?

** Hola's permissions in Manifest file:

• android.permission.RECEIVE_BOOT_COMPLETED
• android.permission.READ_EXTERNAL_STORAGE
• android.permission.WRITE_EXTERNAL_STORAGE
• android.permission.GET_ACCOUNTS
• android.permission.READ_PHONE_STATE
• android.permission.INTERNET
• android.permission.ACCESS_NETWORK_STATE
• android.permission.GET_TASKS
• android.permission.SYSTEM_ALERT_WINDOW
• android.permission.MODIFY_AUDIO_SETTINGS
• android.permission.WAKE_LOCK
• com.google.android.c2dm.permission.RECEIVE
• org.hola.permission.C2D_MESSAGE
• com.android.browser.permission.READ_HISTORY_BOOKMARKS
• com.android.browser.permission.WRITE_HISTORY_BOOKMARKS
• android.permission.ACCESS_FINE_LOCATION

Answer 1

I want to know why it does not use this permission

Because it does not need the permission, which is good because it cannot hold the permission. BIND_VPN_SERVICE is a signature-level permission.

Quoting the documentation for BIND_VPN_SERVICE, with emphasis added:

Must be required by a VpnService, to ensure that only the system can bind to it.

Where you should find BIND_VPN_SERVICE in an app's manifest is not in a <uses-permission> element, but rather in an android:permission attribute on a <service> element for the VpnService implementation. The app is defending a component using a permission, not using the permission to talk to other apps.