ExpressVPN just proved the security of its software with new audits

ExpressVPN on PC and Windows 10 devices
(Image credit: ExpressVPN)

After confirming to have aced three independent security audits only about a month ago, ExpressVPN has just released the results of further testing on its software. 

Again, the provider seems to have passed these latest audits with full marks. 

This time, cybersecurity experts from Cure53 were called to assess ExpressVPN mobile apps. Its own password manager tool ExpressVPN Keys – which comes at no extra cost with both its iOS and Android apps – was also tested for any vulnerabilities. 

Despite a few minor bugs, which the provider said to have already addressed, Cure53 was pleased with the results and the commitment shown by the ExpressVPN team in fighting back "many problems that modern VPN applications tend to face."

'Diligent efforts in minimizing any potential threats' 

"All in all, the development team deserves every plaudit for their due diligent efforts in minimizing any potential threats for the iOS application, with only minor adjustments required to further elevate the platform to an exemplary standard from a security perspective," concluded the auditing firm on its iOS audit report

A similar outcome ended the Android audit report, too. At the same time, Cure53 was pleased with the access and collaboration grant from the provider during the whole process. 

Teams of three and five senior testers performed white-box testing and source-code audits on ExpressVPN's iOS and Android apps between August 2022 and September 2022. These were aimed to determine whether ExpressVPN's mobile apps could successfully withstand external attacks.  

For the first time, ExpressVPN Keys was also tested to assure it correctly secures users' login details.   

Both audits revealed only a handful of minor vulnerabilities but with very little risk for users' data.

Specifically, the iOS audits identified a total of nine issues. Among these, only four were categorized as low and medium risk security vulnerabilities. The remaining five were referred to as "general weaknesses with lower exploitation potential." 

While the Android testing revealed a total of 13 vulnerabilities. Again, only three of the findings were deemed as security bugs at low or medium severity. 

However, as Cure53 reported: "The vast majority of findings are variations of common misconfigurations that are often present in Android applications. This positive viewpoint is also corroborated by the fact that none of the aforementioned vulnerabilities can be directly abused to conduct successful attacks."

ExpressVPN's very own password manager also received positive feedback, gaining "a solid impression on the whole."    

These latest testing bring the total of ExpressVPN's published independent VPN audits up to 13 since 2018. What's more, a security assessment on the ExpressVPN Keys browser extension is also on the way.

"We recognize the growing global need for digital privacy and security protections,” said Brian Schirmacher, penetration testing manager at ExpressVPN. “Audits by esteemed cybersecurity firms such as Cure53 are one of our many trust and transparency initiatives. We want to continue setting the bar high for the industry.”    

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com