After confirming it passed three independent security audits just about a month ago, ExpressVPN has just released the results of further testing of its software.
The provider also seems to have passed these last audits with full marks.
This time, cybersecurity experts from Cure53 were brought in to evaluate the ExpressVPN mobile apps. Its proprietary password manager tool, ExpressVPN Keys — which comes bundled with both its iOS and Android apps at no extra cost — was also tested for vulnerabilities.
Despite some minor bugs that the provider is said to have already fixed, Cure53 was pleased with the results and the ExpressVPN team’s dedication to combating “many problems faced by modern VPN applications.”
“Diligent Efforts to Minimize Potential Threats”
“All in all, the development team deserves kudos for their diligent efforts to minimize potential threats to the iOS application, with only minor adjustments required to raise the platform to an exemplary standard from a security perspective,” concluded the auditing firm on your iOS test report (opens in new tab).
A similar result ended the Android test report (opens in new tab), also. At the same time, Cure53 appreciated the vendor’s access and grant of cooperation throughout the process.
Teams of three and five lead testers conducted white box testing and source code audits on ExpressVPN’s iOS and Android apps between August 2022 and September 2022. These should determine whether ExpressVPN’s mobile apps can successfully withstand external attacks.
For the first time, ExpressVPN Keys has also been tested to ensure it properly secures users’ login credentials.
Both audits only uncovered a handful of small vulnerabilities, but with very little risk to users’ data.
Specifically, the iOS audits identified a total of nine issues. Of these, only four were classified as low- and medium-risk vulnerabilities. The remaining five were labeled as “general weaknesses with less exploitation potential.”
While the Android tests revealed a total of 13 vulnerabilities. Again, only three of the finds were classified as low- or medium-severity vulnerabilities.
However, as Cure53 reported: “The vast majority of the results are variations on common misconfigurations that are often present in Android applications. This positive view is also confirmed by the fact that none of the above vulnerabilities can be directly exploited to carry out successful attacks.”
ExpressVPN’s own password manager also received positive feedback and made an “overall solid impression”.
These latest tests bring the total number of independent VPN audits published by ExpressVPN to 13 since 2018. A safety assessment of the ExpressVPN Keys browser extension is also in the pipeline.
“We recognize the growing global need for digital privacy and security protection,” said Brian Schirmacher, penetration testing manager at ExpressVPN. “Audits by reputable cybersecurity companies like Cure53 are one of our many trust and transparency initiatives. We want to continue to push this to raise the bar for the industry.”
https://www.techradar.com/news/expressvpn-just-proved-the-security-of-its-software-with-new-audits Cure53 has verified the leading VPN provider as a safe choice for securing your sensitive data and login credentials on mobile devices.