Results available from audit of Mullvad app
We invite you to read the final report of the independent security audit performed on the Mullvad VPN app.
As stated in the report, “The results of this May-June 2020 project targeting the Mullvad [app] are quite positive.” The audit was performed on the five supported platform versions of the app: desktop version 2020.4, Android version 2020.5-beta1, and the iOS test flight version of 2020.3.
The auditors “could only spot seven security-relevant items. Moreover, penetration tests and audits against application branches of Mullvad exclusively pointed to issues with limited severities, as demonstrated by the most impactful flaw scoring as Medium only.”
Six testers from Cure53 performed the audit over the course of 20 days.
Read the report
The final audit report is available on Cure53's website.
For full transparency, the initial report is also public. This is the version that was initially presented to us. After a discussion with the auditors about the use of certain terminology and requesting that they specify which app versions had been audited, they adjusted the report and produced the final version.
An independent audit helps us to discover potential security vulnerabilities and fix them, all resulting in an even better service for our users. It also gives you the opportunity to judge whether or not we are technically competent enough to provide a service in which security is paramount.
Upgrade your app
Based on the auditors' findings, we’ve prioritized our improvements accordingly and released new versions for all platforms:
- Windows, macOS, and Linux: 2020.5
- Android: 2020.5-beta2
- iOS: 2020.3.
Download Mullvad VPN to get the latest version.
Overview of findings
Of the seven issues found, two were classified by the auditors as “Medium”, two as “Low”, and the remaining three as “Info”. The auditors did not find anything that they would classify as dangerous or critical, and according to the report, “Mullvad does a great job protecting the end-user from common PII [personally identifiable information] leaks and privacy related risks.”
We fixed five of the seven issues and merged them before the final report was finished and sent to us. The remaining two are items that we do not deem as serious problems nor are they a threat to us or our users. Furthermore, we have no way of patching those two as they are out of our control.
MUL-02-002 WP2: Firewall allows deanonymization by eavesdropper (Medium)
Our comment: Fixed in desktop version 2020.5. This is a legitimate and fully possible deanonymization attack. However, as it is not trivial to execute, Cure53 classifies it as Medium only. This vulnerability is not an issue for any normal user. But as outlined in the report’s conclusion, a "state-funded and persistent threat" could very well use it to identify users.
Since anonymity for our users, including those with high threat models, is paramount for us, we regard this finding as a rather serious one. But not critical enough to justify rushing out a stable release.
MUL-02-006 WP1: Blind HTML Injection via Problem Report (Low)
Our comment: This finding does not put any user or the service itself at risk. The problem reports are handled as plaintext and not HTML, all the way from the app to the support team. The pingback observed in the report comes from Google's Gmail servers which simply seem to query any URL they can parse in email bodies passing through their servers.
As such, we do not agree with the classification as an HTML injection issue. There is likely no way for us to disable this, and even if it was exploitable, it would be Google that would be compromised and not Mullvad.
MUL-02-007 WP2: Named Pipe exposed via SMB accessible to everyone (Medium)
Our comment: Fixed in desktop version 2020.5. This vulnerability allows for controlling Mullvad VPN on a Windows machine from the network. However, it requires the user to both enable "Local network sharing" in the app and disable Windows' "password protected sharing", neither of which is done by default.
We do not see this as a large security flaw since the user must explicitly turn off important security settings for this to be exploitable to begin with. However, since the VPN is only supposed to be possible to control from the local computer and since the report presents an easy fix for the issue, we have addressed this.
MUL-02-001 iOS: Lack of filesystem protections (Info)
Our comment: Fixed in iOS version 2020.3. The app does not in any way need the cache file that was found. Since the exposed data is not very sensitive and getting the data out of the device is far from trivial, we agree with the auditors that this not a serious leak.
MUL-02-003 WP1: General hardening recommendations for Android app (Info)
Our comment: Fixed in Android version 2020.5-beta2. These are good recommendations from Cure53 and we have implemented them in order to better practice defense-in-depth.
MUL-02-004 WP2: Firewall allows TCP connections to WireGuard® gateway (Low)
Our comment: Fixed in desktop version 2020.5. This vulnerability is very similar to MUL-02-002 but is less dangerous since no custom token can be sent out, making it harder to identify a specific user.
MUL-02-005 WP1: VpnService logs static internal IPs to Android’s syslog (Info)
Our comment: Leaking the private tunnel IP in use is considered bad but not critical. We agree with the classification level of “Info” on this security finding since the attacker needs either adb access or the phone to be rooted. The logging of the IP is done by the Android operating system as soon as any VPN app uses the system's VPN API, and as far as we can tell, there is no way to disable this nor for us to fix this potential information leak. All Android VPN apps are subject to the same type of leak.
This audit overview is also available in our open-source repository on GitHub. In that version we attach the audit findings with their respective source code implementations.
Finally, we wish to thank Cure53 not only for their work but also for a smooth collaboration through the entire process!
"WireGuard" is a registered trademark of Jason A. Donenfeld.