After confirming it passed three independent security audits just one month ago, ExpressVPN has released the results of further testing of its software.
Again, the provider seems to have passed these latest audits with a perfect score.
This time, Cure53’s cybersecurity experts were called in to evaluate the ExpressVPN mobile app. Our own password manager tool, ExpressVPN Keys (available in both iOS and Android apps at no extra charge) was also tested for vulnerabilities.
Despite some minor bugs the provider said it had already addressed, Cure53 was pleased with the results and the commitment shown by the ExpressVPN team to confront “many of the problems modern VPN applications tend to face.” I’m here.
“Dedicated efforts to minimize potential threats”
“Overall, the development team has spared no significant effort to minimize potential threats to iOS applications, with only minor adjustments necessary to further bring the platform to an exemplary standard in terms of security. , is commendable,” the audit firm concluded. iOS audit report (opens in new tab).
Android audit report closed with similar results (opens in new tab), that too. At the same time, Cure53 was happy with access and collaboration permissions from the provider throughout the process.
Between August 2022 and September 2022, a team of 3-5 senior testers performed white box testing and source code audits of ExpressVPN’s iOS and Android apps.
For the first time, ExpressVPN keys have also been tested to ensure they correctly protect users’ login details.
Both audits uncovered only a few minor vulnerabilities, but pose little risk to user data.
Specifically, the iOS audit identified a total of nine issues. Of these, only four were classified as low-risk and medium-risk security vulnerabilities. The remaining five were called “generic weaknesses that are unlikely to be exploited.”
Android testing uncovered a total of 13 vulnerabilities. Again, only three of our findings were considered low or medium severity security bugs.
However, as reported by Cure53, “Most of the findings are variations on common misconfigurations commonly found in Android applications. It’s also backed up by the fact that you can’t make it work.”
ExpressVPN’s own password manager also received positive feedback, giving it an “overall solid impression.”
These latest tests bring ExpressVPN’s total of 13 published independent VPN audits since 2018. Additionally, a security evaluation of the ExpressVPN Keys browser extension is underway.
Brian Schirmacher, Penetration Testing Manager at ExpressVPN, said: The highest standards for the industry. ”