Our users rely on us to keep their online activity private and secure through our software and the privacy measures we have in place. In order to validate that ExpressVPN’s security safeguards work as intended, we conduct numerous tests in-house while also regularly commissioning third-party audits.
We’re happy to announce that cybersecurity firm Cure53 has conducted separate assessments of our Android and iOS mobile apps through white-box penetration testing and source-code audits. The audit of our Android app was conducted in August, and the iOS audit from late August to early September.
The audits included examinations of ExpressVPN Keys, a password manager integrated in our mobile apps, as well as our VPN protocol integration and dependencies.
These independent assessments are paramount in providing unbiased verification of our security claims. They also offer insight into how well our VPN can withstand attacks by malicious users and third-party applications. We are pleased with the verifications conducted by Cure53 and look forward to even more audits to help elevate our industry-leading security posture.
“We recognize the growing global need for digital privacy and security protections, which is why I’m delighted to share that both of ExpressVPN’s mobile apps have now been audited by Cure53’s independent security experts. This announcement is even more significant as it comes just weeks after complete audits of our three desktop apps, as well as KPMG’s audit of our no-logs policy,” said Brian Schirmacher, penetration testing manager at ExpressVPN. “Audits by esteemed cybersecurity firms such as Cure53 are one of our many trust and transparency initiatives. We want to continue setting the bar high for the industry.”
ExpressVPN’s Android and iOS mobile apps confirmed secure
During their in-depth investigation of our Android mobile app, Cure53 discovered three security vulnerabilities, rated as “medium” or “low” severity. They also made ten general hardening recommendations, all for issues identified as “Miscellaneous: Informational”.
“This outcome provides ample evidence that the ExpressVPN team is not only acutely aware of the many problems that modern VPN applications tend to face, but also able to effectively counter them,” states Cure53 in its report. “Generally speaking, despite the relatively high yield of findings, the overall impression gained by the testing team following this engagement is adequately positive. This primarily owes to the fact that the vast majority of findings are variations of common misconfigurations that are often present in Android applications.”
“This positive viewpoint is also corroborated by the fact that none of the aforementioned vulnerabilities can be directly abused to conduct successful attacks.”
Read Cure53’s audit report of our Android mobile app.
As for our iOS app, Cure53’s detailed security assessment identified four vulnerabilities, all rated as “medium” or “low” severity. Three of these issues are linked to local information disclosure, which means that a threat actor would need physical access to a user’s device or have compromised it for there to be any impact on the user. The review also made five hardening recommendations with lower exploitation potential.
“The fact that all findings were assigned a severity rating of Medium or lower indicates a complete lack of significant attack surfaces and damaging threat potential,” Cure53 states. “All in all, the development team deserves every plaudit for their due diligent efforts in minimizing any potential threats for the iOS application, with only minor adjustments required to further elevate the platform to an exemplary standard from a security perspective.”
Read Cure53’s full audit report for iOS.
We have since addressed all feedback highlighted in the audits of our Android and iOS mobile apps. Our internal security team fixed the majority of issues. Those that we decided not to modify were because of the fixes’ potential impacts on app usability and functionality, which Cure53 agreed with.
Our dedication to safeguarding user privacy
These two new mobile app audits bring ExpressVPN’s list of total published security assessments to 13. Here is a list of our past external audits, ordered chronologically:
- An audit by KPMG of our no-logs policy (September 2022)
- An audit by Cure53 of our Linux app (August 2022)
- An audit by Cure53 of our macOS app (July 2022)
- A security audit by Cure53 of our Aircove router (July 2022)
- A security audit by Cure53 of TrustedServer, our in-house VPN server technology (May 2022)
- An audit by F-Secure of our Windows v12 app (April 2022)
- A security audit by F-Secure of our Windows v10 app (March 2022)
- A security audit by Cure53 of our VPN protocol Lightway (August 2021)
- An audit by PwC Switzerland on our build verification process (June 2020)
- An audit by PwC Switzerland of our privacy policy compliance and our in-house technology TrustedServer (June 2019)
- A security audit by Cure53 of our browser extension (November 2018)
As we grow our range of privacy and security offerings, we are eager to release even more regular third-party verifications for our products.
Take back control of your privacy
30-day money-back guarantee