FAQ: New national security law – Hong Kong

Mullvad

We frequently get questions about HK and its new security law.
The most common question is “Why haven’t you already pulled out of HK altogether?”, but some customers emphasize the need of servers in HK and voice their concern that we might withdraw.

Our VPN service, as well as our relays and bridges, can be used for many reasons and in many different ways. However, if you have privacy concerns, it might be good to choose a server location in a jurisdiction YOU prefer. Also consider using Multihop. Deciding on a location could be based on jurisdiction, network quality, blocking and throttling, and many other factors.

For instance, you can use our bridge service with Singapore as an entry location and the U.S. as an exit location if that’s a combination that fits your needs. Alternatively, you can use the Multihop function in WireGuard. The traffic will be encrypted from your computer to the exit server, and the bridge or WG server in the middle will just route traffic to the exit node without being able to decrypt it. Depending on your threat model, using two locations with different jurisdictions might be beneficial.

Results available from audit of Mullvad app

Mullvad

We invite you to read the final report of the independent security audit performed on the Mullvad VPN app.

As stated in the report, “The results of this May-June 2020 project targeting the Mullvad [app] are quite positive.” The audit was performed on the five supported platform versions of the app: desktop version 2020.4, Android version 2020.5-beta1, and the iOS test flight version of 2020.3.

The auditors “could only spot seven security-relevant items. Moreover, penetration tests and audits against application branches of Mullvad exclusively pointed to issues with limited severities, as demonstrated by the most impactful flaw scoring as Medium only.”

Six testers from Cure53 performed the audit over the course of 20 days.

Read the report

The final audit report is available on Cure53’s website.

For full transparency, the initial report is also public. This is the version that was initially presented to us. After a discussion with the auditors about the use of certain terminology and requesting that they specify which app versions had been audited, they adjusted the report and produced the final version.

An independent audit helps us to discover potential security vulnerabilities and fix them, all resulting in an even better service for our users. It also gives you the opportunity to judge whether or not we are technically competent enough to provide a service in which security is paramount.

Upgrade your app

Based on the auditors’ findings, we’ve prioritized our improvements accordingly and released new versions for all platforms:

  • Windows, macOS, and Linux: 2020.5
  • Android: 2020.5-beta2
  • iOS: 2020.3.

Download Mullvad VPN to get the latest version.

Overview of findings

Of the seven issues found, two were classified by the auditors as “Medium”, two as “Low”, and the remaining three as “Info”. The auditors did not find anything that they would classify as dangerous or critical, and according to the report, “Mullvad does a great job protecting the end-user from common PII [personally identifiable information] leaks and privacy related risks.”

We fixed five of the seven issues and merged them before the final report was finished and sent to us. The remaining two are items that we do not deem as serious problems nor are they a threat to us or our users. Furthermore, we have no way of patching those two as they are out of our control.

Full article

Mullvad VPN Android app available on F-Droid!

Mullvad

Our Android app is now available through yet another distribution channel: F-Droid.

It was the plan all along to offer the Android app via three different distribution channels. It was first made available on our website as a standalone installer APK in version
2019.8-beta1 on 2019-09-19. It was then made available on Google Play in version
2020.4-beta1 on 2020-03-31. And now, finally! Catering more to the Open Source community, we are available via F-Droid with the recent 2020.5-beta2 release.

The app is still classified as a beta due to stability issues on some devices and versions of Android. But it gets better with every release, and we are pretty close to making a stable release now.

Full article

Mullvad VPN assessed in external security audit new beta version (2020.5-beta2) available

Mullvad

An independent security audit of the Mullvad VPN app was recently completed. Based on the auditors’ findings, we’ve prioritized our improvements accordingly and released a new beta version for desktop and Android.

Here are the new beta versions:

  • Windows, macOS, Linux: 2020.5-beta2 which you can download on our website or wait until we release the next stable version, which we always recommend that you have.
  • Android: 2020.5-beta2, to be released shortly.

During the assessment, auditors from Cure53 found nothing that they define as critical and were “unable to compromise the [app].”

Why you should care about VPN audits

An independent audit helps us to discover potential security vulnerabilities and fix them, all resulting in an even better service for our users. It also gives you the opportunity to judge whether or not we are technically competent enough to provide a service in which security is paramount.

Final audit report coming soon

We will publish a link to the audit report and an overview of the findings when it becomes available on Cure53’s website.

Full article

iOS app release improves VPN connection (2020.2)

Mullvad

A new iOS version of the Mullvad VPN app should mean fewer disconnections.

What’s new in this version

To provide a more stable connection, the app now automatically enables the device’s on-demand VPN setting whenever a connection is made. Users should experience fewer sudden disconnections.

Other updates:

  • Format account number in groups of 4 digits separated by whitespace on login screen.
  • Fix “invalid account” error that was mistakenly reported as “network error” during log in.

Full blog post

Launched: Mullvad VPN for iOS is here

Mullvad

The official Mullvad VPN app is now available for iOS users! Pull out your iPhone and get it in the App Store.

What to expect

The iOS version of the Mullvad VPN app exclusively uses the WireGuard VPN protocol. In the app, you can both regenerate and verify WireGuard keys.

Running out of time on your account? You can top it up using the in-app payment feature, but the option to add time via the Mullvad website is still available.

The Mullvad VPN app on iOS contains the same essential functions as its desktop counterpart: login with only your account number, secure your connection with the tap of a button, and easily change your location.

Got feedback for us? Send it our way! Knowing what you experience helps us more quickly identify issues and prioritize features for future releases.

Full article

Auto-connect feature in new Android release (2020.4-beta1)

Mullvad

What’s new in this version

An Auto-connect option is now available under the Preferences menu. Enable this and the app will automatically connect to a server when it launches. If your Android device has the “Always-on VPN” feature, you can combine these two functionalities to automatically secure your connection from the moment you power on your phone.

You can now add an app shortcut tile to Android’s Quick Settings menu. A single tap on the tile will connect or disconnect you while tapping and holding opens the app.

Full blog post

New law 1 April 2020 – Swedish Covert Surveillance of Data Act

Mullvad

New law in Sweden 1 April 2020

Covert Surveillance of Data Act (SFS 2020:62) (the act is short-term legislation and will enter into force on 1 April 2020)

Short Summary:

Since Mullvad VPN is not to be regarded as an electronic communications service with a reporting obligation according to LEK, Chapter 2, Section 1, Mullvad VPN cannot be subject to a duty to cooperate in connection with the enforcement of a decision authorising covert surveillance of data in accordance with the new Covert Surveillance of Data Act.

For users (of computers and other electronic devices), the new Covert Surveillance of Data Act grants law enforcement agencies the authority, upon a special permit (in each specific case) from a competent Swedish court, to secretly install software or hardware on suspect users’ devices or devices which the suspect in special cases have or will most likely contact. This implies that law enforcement agencies may access a suspect user’s information before it is encrypted by VPN-services such as Mullvad VPN.

To read the full text:
Swedish: https://mullvad.net/help/lagen-om-hemlig-dataavlasning/
English: https://mullvad.net/help/swedish-covert-surveillance-data-act/