Our users trust us to protect their digital lives on a daily basis. One of the ways we earn that trust is through regularly engaging independent cybersecurity experts to assess our products and validate the accuracy of our security claims.
Today we are excited to share three new audits, covering all of ExpressVPN’s desktop apps. We commissioned Cure53 to perform penetration tests and source code audits of our macOS and Linux desktop clients. F-Secure was also commissioned to review our Windows v12 app through penetration testing and source code auditing, just months after its audit of our previous Windows app (v10).
We are delighted with the outcome of the audits, as well as our long-standing collaboration with both cybersecurity firms. Today, we are glad to share more findings and insights from the audits with you.
“As part of our continuous trust and transparency efforts, we’re proud to announce that all of our desktop apps have now been audited,” said Brian Schirmacher, penetration testing manager at ExpressVPN. “These audits are a testament to the efforts we put into improving and securing our product, and we’re glad to receive the validation from Cure53 and F-Secure. We’re committed to delivering audits on our mobile apps soon, and will continue to ensure privacy and security at every touchpoint of our product.”
Cure53 validates the security of our macOS and Linux apps
Cure53 tested both our macOS and Linux desktop apps through white-box penetration tests and source code audits from June to August 2022. These assessments are instrumental in determining whether our apps are secure enough to withstand security attacks from malicious adversaries, providing validation of the extensive work done by our engineering and security experts.
They found a low volume of issues in our macOS app, uncovering only two security vulnerabilities and four informational weaknesses with low exploitation potential. We quickly addressed all relevant findings, with Cure53 reviewing the fixes to ensure no additional weaknesses were introduced.
“In conclusion, this assessment of the latest ExpressVPN application for macOS iteration leaves an exceptionally solid impression in regards to security,” writes Cure53 in their report. “All in all, the ExpressVPN team deserves high praise for its efforts to provide an exceptionally secure macOS client. Only a few minor hardening improvements are required to elevate the platform’s security posture to an exemplary level.”
Similarly, the audit of our Linux app returned a short list of security issues. Out of the five discoveries, there were two security vulnerabilities and three general weaknesses with lower exploitation potential, all of which have since been reviewed by our internal team. “Absence of findings beyond a Medium rank is yet another strong positive indicator of the condition of the security premise at the ExpressVPN Linux targets,” notes Cure53.
Read the full audit reports for macOS here and Linux here.
ExpressVPN’s Windows v12 app is more secure than ever
F-Secure conducted a security audit on our latest Windows app (v12) from February 2022 to March 2022. The audit assessed two important features of the app:
- That the app cannot be manipulated to leak information (such as a user’s IP address) outside the VPN tunnel
- That the app is not susceptible to remote code execution attacks
We’re pleased to share that F-Secure did not find any significant weaknesses. F-Secure’s independent auditors found only one informational issue in our Windows v12 app, which was not exploitable. The issue has already been fixed, which F-Secure confirmed in a retest in April 2022.
No critical, high, medium, or minor issues were found. And, as in their previous report, F-Secure gave us an excellent review, concluding: “It was not possible to gain information about ExpressVPN’s clients or out of the network traffic. Nor was it possible to execute code remotely through attacks such as Man-in-the-Middle (MitM), TLS downgrading, or packet injection.”
Read F-Secure’s Windows v12 report in full.
Windows v12 brings significant improvements to the app’s security and integration with the operating system. It also comes with a redesigned backend optimized for Lightway, our proprietary protocol that we built for a faster, more reliable, more secure VPN experience. These changes pave the way for exciting new features for our Windows users, like Parallel Connections and Threat Manager. Given these under-the-hood upgrades, we wanted Windows v12’s security verified as soon as possible. Download ExpressVPN for Windows (v12).
Note: v12 is only available for users of Windows 10 and above
Our dedication to third-party privacy and security verifications
These three new audits of our desktop apps bring the total number of ExpressVPN’s published audits to 11, ensuring that we’re providing the most secure online experience possible to our users. Here are our previous external audits and security assessments:
- An audit by KPMG of our no-logs policy (October 2022)
- A security audit by Cure53 of TrustedServer, our in-house VPN server technology (October 2022)
- A security audit by Cure53 of our Aircove router (September 2022)
- A security audit by F-Secure of our Windows v10 app (March 2022)
- A security audit by Cure53 of our VPN protocol Lightway (August 2021)
- An audit by PwC Switzerland on our build verification process (June 2020)
- A security audit by Cure53 of our browser extension (November 2018)
We will continue to uphold our commitment to conduct more third-party audits and at a greater frequency. It’s one facet of the many ways we ensure that our users enjoy the most secure VPN experience.