After confirming that it passed three independent security audits just a month ago, ExpressVPN has just released the results of further testing of its software.
Again, the supplier appears to have passed these recent audits with full marks.
This time around, Cure53’s cybersecurity experts were called upon to evaluate ExpressVPN’s mobile apps. Its own ExpressVPN Keys password management tool – which is available at no extra cost with both iOS and Android apps – has also been tested for vulnerabilities.
Despite a few minor bugs that the provider has already fixed, Cure53 was pleased with the results and the ExpressVPN team’s commitment to tackling “many of the issues modern VPN apps face.”
“Strong efforts to minimize potential risks”
“Overall, the development team deserves the highest praise for their due diligence in minimizing any potential threats to iOS apps, with only minor adjustments required to further elevate the platform to an exemplary standard from a security standpoint,” the audit firm concluded on its iOS audit report (opens in a new tab).
A similar result ended Android audit report (opens in a new tab), too. At the same time, Cure53 was satisfied with the grant granted by the supplier for access and cooperation throughout the process.
Teams of three and five senior testers conducted white-box tests and source code audits of the ExpressVPN iOS and Android apps between August 2022 and September 2022 to determine whether ExpressVPN mobile apps can successfully withstand external attacks.
ExpressVPN Keys has also been tested for the first time to ensure it properly secures user login information.
Both audits revealed only a few minor vulnerabilities, but with very little risk to user data.
Specifically, iOS audits identified a total of nine issues. Of these, only four were classified as low to medium risk vulnerabilities. The remaining five were identified as “general weaknesses with lower operational potential”.
While Android tests revealed a total of 13 vulnerabilities. Again, only three of these were considered low or medium security bugs.
However, as reported by Cure53: “The vast majority of the discoveries are variations of common misconfigurations that are common in Android apps. This positive point of view is also confirmed by the fact that none of the vulnerabilities listed above can be directly exploited to launch successful attacks.”
ExpressVPN’s own password manager also received positive feedback, garnering a “solid impression overall”.
These recent tests brought the number of independent VPN audits published by ExpressVPN to 13 as of 2018. Moreover, the security rating of the ExpressVPN Keys browser extension is also coming.
“We see a growing global demand for digital privacy and security protection,” said Brian Schirmacher, Penetration Testing Manager at ExpressVPN. “Auditing from respected cybersecurity firms such as Cure53 is one of our many trust and transparency initiatives. We want to continue to set the bar high for the industry.”