We invite you to read the final report of the independent security audit performed on the Mullvad VPN app.
As stated in the report, “The results of this May-June 2020 project targeting the Mullvad [app] are quite positive.” The audit was performed on the five supported platform versions of the app: desktop version 2020.4, Android version 2020.5-beta1, and the iOS test flight version of 2020.3.
The auditors “could only spot seven security-relevant items. Moreover, penetration tests and audits against application branches of Mullvad exclusively pointed to issues with limited severities, as demonstrated by the most impactful flaw scoring as Medium only.”
Six testers from Cure53 performed the audit over the course of 20 days.
Read the report
The final audit report is available on Cure53’s website.
For full transparency, the initial report is also public. This is the version that was initially presented to us. After a discussion with the auditors about the use of certain terminology and requesting that they specify which app versions had been audited, they adjusted the report and produced the final version.
An independent audit helps us to discover potential security vulnerabilities and fix them, all resulting in an even better service for our users. It also gives you the opportunity to judge whether or not we are technically competent enough to provide a service in which security is paramount.
Upgrade your app
Based on the auditors’ findings, we’ve prioritized our improvements accordingly and released new versions for all platforms:
- Windows, macOS, and Linux: 2020.5
- Android: 2020.5-beta2
- iOS: 2020.3.
Download Mullvad VPN to get the latest version.
Overview of findings
Of the seven issues found, two were classified by the auditors as “Medium”, two as “Low”, and the remaining three as “Info”. The auditors did not find anything that they would classify as dangerous or critical, and according to the report, “Mullvad does a great job protecting the end-user from common PII [personally identifiable information] leaks and privacy related risks.”
We fixed five of the seven issues and merged them before the final report was finished and sent to us. The remaining two are items that we do not deem as serious problems nor are they a threat to us or our users. Furthermore, we have no way of patching those two as they are out of our control.