Popular VPN vendor ExpressVPN announced on Tuesday that cybersecurity firm Cure53 conducted separate assessments of its Android and iOS mobile apps through white-box penetration testing and source-code audits. The audit of its Android app was conducted in August, while the iOS audit occurred from late August to early September.
Cure53’s audits also included investigations into ExpressVPN’s integrated password manager for its mobile apps, ExpressVPN Keys, along with its VPN protocol integration and dependencies.
These independent security assessments are crucial in providing unbiased information regarding ExpressVPN’s security claims. Additionally, they offer insight into how well the VPN can defend itself against cyberattacks from malicious actors and third-party applications.
“We recognize the growing global need for digital privacy and security protections, which is why I’m delighted to share that both of ExpressVPN’s mobile apps have now been audited by Cure53’s independent security experts. This announcement is even more significant as it comes just weeks after complete audits of our three desktop apps, as well as KPMG’s audit of our no-logs policy,” said ExpressVPN penetration testing manager Brian Schirmacher. “Audits by esteemed cybersecurity firms such as Cure53 are one of our many trust and transparency initiatives. We want to continue setting the bar high for the industry.”
During its audit of the Android app, Cure53 discovered three security vulnerabilities, rated as “medium” or “low” severity. The cybersecurity firm also made ten general hardening recommendations for issues identified as “Miscellaneous: Informational”.
“This outcome provides ample evidence that the ExpressVPN team is not only acutely aware of the many problems that modern VPN applications tend to face, but also able to effectively counter them,” said Cure53 in its report. “Generally speaking, despite the relatively high yield of findings, the overall impression gained by the testing team following this engagement is adequately positive. This primarily owes to the fact that the vast majority of findings are variations of common misconfigurations that are often present in Android applications.”
“This positive viewpoint is also corroborated by the fact that none of the aforementioned vulnerabilities can be directly abused to conduct successful attacks,” the firm added.
For the iOS app, Cure53’s audit found four vulnerabilities, rated as “medium” or “low” severity. Additionally, the cybersecurity firm made five hardening recommendations with lower potential for exploitation.
“The fact that all findings were assigned a severity rating of Medium or lower indicates a complete lack of significant attack surfaces and damaging threat potential,” said Cure53. “All in all, the development team deserves every plaudit for their due diligent efforts in minimizing any potential threats for the iOS application, with only minor adjustments required to further elevate the platform to an exemplary standard from a security perspective.”
ExpressVPN has since addressed all vulnerabilities listed in the audits of its Android and iOS apps, and had its internal security team fix most of the issues.