The final report of the external security audit on our VPN app, version 2018.2, is now publicly available.
As summarized in the report, "the assessment yielded a total of seven issues, which [is] an exceptionally small number given the complex field of the VPN software and the connected, vast attack surface."
Of those seven, six issues related to the app, none of which were remotely exploitable. In addition, the testers found no traffic leaks and no ways for a network-based attacker to force leaks. The remaining issue had to do with our website.
Read the final audit report, made available on Cure53's website.
Also public is the initial report which is the version that was initially presented to us. After a discussion with the auditors about the use of certain terminology, they adjusted the report to provide better clarity and produced the final version.
An independent audit helps to discover potential security vulnerabilities and fix them, all resulting in an even better service. It also gives you the opportunity to judge whether or not we are technically competent enough to provide a service in which security is paramount.
Thanks to the audit's findings, we prioritized our app development accordingly and released version 2018.3. Be sure you're using the latest version of the Mullvad VPN app – download now.
Of the seven issues found, the two identified vulnerabilities required local access to the computer. Of the five miscellaneous issues, three required local access, one pertained to our website, and the last one reflected on software dependencies.
Regarding the five findings that depended on local access, it should be noted that in general we do not consider attackers with local access to be part of our threat model. Nonetheless, we will of course consider all recommendations made by the auditors to further improve the security of our app.
Please feel free to contact us if you have any questions after reading this post or the audit report.
As described by the auditors, "This section covers those noteworthy findings that did not lead to an exploit but might aid an attacker in achieving their malicious goals in the future.
"Most of these results are vulnerable code snippets that did not provide an easy way to be called. Conclusively, while a vulnerability is present, an exploit might not always be possible."