ExpressVPN just proved the security of its software with new audits
>
After confirming to have passed three independent security audits just about a month ago, ExpressVPN has just released the results of further testing on its software.
Again, the provider appears to have passed these latest audits with full marks.
This time, cybersecurity experts from Cure53 were called upon to review ExpressVPN’s mobile apps. The proprietary password management tool ExpressVPN Keys — which comes with both the iOS and Android apps at no extra cost — was also tested for any vulnerabilities.
Despite a few minor bugs, which the provider said it had already fixed, Cure53 was pleased with the results and the ExpressVPN team’s efforts in mitigating “many problems that modern VPN applications often face.”
Diligent efforts to minimize potential threats
Overall, the development team is to be commended for their diligent efforts in minimizing potential threats to the iOS application, with only minor tweaks required to further elevate the platform to an exemplary standard from a security perspective. . up iOS audit report (opens in new tab).
A similar result ended the Android audit report (opens in new tab), at. At the same time, Cure53 was happy with the provider’s access and collaboration grant throughout the process.
Teams of three and five senior testers performed white-box testing and source code audits on ExpressVPN’s iOS and Android apps between August 2022 and September 2022. These were to determine whether ExpressVPN’s mobile apps could successfully resist external attacks.
For the first time, ExpressVPN Keys was also tested to ensure it properly secures user credentials.
Both audits revealed only a handful of minor vulnerabilities, but with very little risk to users’ data.
Specifically, the iOS audits revealed a total of nine issues. Of these, only four were categorized as low and medium risk security vulnerabilities. The remaining five were termed “general weaknesses with lower exploitation potential”.
While the Android tests revealed a total of 13 vulnerabilities. Again, only three of the findings were considered low or medium severity security bugs.
However, as Cure53 reported: “The vast majority of the findings are variations on common misconfigurations often present in Android applications. This positive view is also confirmed by the fact that none of the above vulnerabilities can be directly exploited to launch successful attacks. to feed.”
ExpressVPN’s own password manager also received positive feedback, getting “overall a solid impression”.
These latest tests bring the total of ExpressVPN’s published independent VPN audits to 13 since 2018. Additionally, a security review of the ExpressVPN Keys browser extension is also on the way.
“We recognize the growing global need for digital privacy and security protections,” said Brian Schirmacher, penetration testing manager at ExpressVPN. “Audits by esteemed cybersecurity firms like Cure53 are one of our many trust and transparency initiatives. We want to raise the bar for the industry.”