In the world of VPNs, the competition for landing new users is fierce. The resulting game of one-upmanship by many top VPN providers, however, has been great news for us, the consumers.
In some cases, it’s led to rock-bottom prices and countless discounts and sales.
One top provider, ProtonVPN, has now raised the bar to a new level, and they’ve done so in two ways.
First, they’ve become the latest major VPN to undergo a 3rd-party security audit. It’s a move that, in and of itself, is not so surprising, but still much appreciated.
But, the more interesting development is that ProtonVPN has just made all their apps open-source. That puts them into a very small group of providers to do so.
In fact, so far, they’re also the only top-tier VPN to take that step.
It’s an almost unprecedented move towards transparency that carries significant benefits for us, the users.
A Multi-Platform Security Audit
On January 21, 2020, ProtonVPN announced the results of its first-ever 3rd-party security audit. The test was carried out by respected cybersecurity and penetration testing firm SEC Consult.
Four of ProtonVPN’s apps – Windows, macOS, iOS, and Android – were put to the test.
If you’re interested in taking a detailed look at the results, the full reports for each platform are available at these locations:
That said, here’s is a quick summary of what SEC Consult found and ProtonVPN’s responses.
The tests of the ProtonVPN Windows app uncovered two medium- and two low-risk issues.
None of the problems were severe enough to allow an attacker to decrypt the VPN traffic. But, if an attacker had physical access to a user’s PC, they could certainly cause a bit of trouble.
In response, ProtonVPN fixed the two low-risk issues and accepted the two medium-risk findings.
One of those accepted vulnerabilities was related to the app’s underlying programing language and, therefore, out of ProtonVPN’s control.
The other problem had to do with the public authorization keys that allow initial connections to a VPN server. However, ProtonVPN confirmed the keys are freely available and cannot be used to initiate an attack.
ProtonVPN’s macOS app did much better than its Windows counterpart. In fact, SEC Consult didn’t find a single issue.
Of the four apps tested, macOS was the only one to come up with a clean bill of health. Maybe there’s something to Apple’s security reputation after all?
Having just commented on Apple and security, the iOS ProtonVPN app didn’t do as well as its macOS cousin.
Testing revealed two low-risk problems, one of which has been fixed and the other accepted.
The fixed vulnerability had to do with the app not doing an authenticity check of a VPN server’s SSL certificate. That could, in theory, allow someone to set up a man-in-the-middle attack.
The accepted issue was that the app is allowed to run on jailbroken iOS devices. That to me, however, sounds more like a feature than a bug.
Of all the apps tested in ProtonVPN’s security audit, the Android version had the most issues found with one medium- and four low-risk vulnerabilities.
ProtonVPN fixed three of them and accepted the remaining two.
The first fixed problem was that the app failed to perform a server-side log out when a user signed off. That could potentially allow an attacker to reuse the session.
The second was that the app allowed the use of ADB backup, which could let someone harvest user data if they had access to the Android device.
The third resolved issue was the same SSL certificate check failure found in the iOS app.
As far as the accepted vulnerabilities, both are somewhat benign.
The first is that the device creates debug logs containing session information. But, since those logs are part of Android OS’s system logging, ProtonVPN has little choice but to allow them.
The second accepted issue is that the app saves users setting in a local file. And, while that file in encrypted, an attacker with physical access to the device could, theoretically, get access to it.
That said, since the stored settings are used for transmitting diagnostic reports, they don’t pose an actual threat to user data.
The Decision to Go Open Source
To take their commitment to transparency to the next level, ProtonVPN has also decided to make all their apps open-source. The complete source code for each is now available to the public.
It’s an extremely rare step for a major VPN provider to take. In fact, only AirVPN and Mullvad rely on open-source apps. And, they’re nowhere near the size of ProtonVPN.
So, big kudos to ProtonVPN here.
In making this announcement, ProtonVPN recognized the valuable contributions the user community has made to their Linux app, the code for which was already available for some time.
On their decision to go open-source, ProtonVPN said:
As a community-supported organization, we have a responsibility to be as transparent, accountable, and accessible as possible. Going open-source helps us to do that and serve you better at the same time. Your feedback and suggestions have become a vital source of ideas and inspiration for us, and we will continue working to meet your expectations in 2020 and beyond.
If you’re a developer and want to take a look at the inner workings of ProtonVPN’s app, you can find the source code on ProtonVPN’s GitHub page.
The Bottom Line
Whether you’re an existing or potential ProtonVPN user, there’s a lot to like about the provider’s decisions to participate in 3rd-party audits and go open-source.
Both ensure their software is as secure and problem-free as can be and that it adheres to the latest standards.
Allowing an army of hobbyists and developers to pour over and contribute to ProtonVPN’s code could be an especially brilliant move. After all, nobody knows better what the VPN user community wants than the users themselves.
And, hopefully, ProtonVPN raising the bar will push at least some of the other top VPN providers to follow suit in the not too distant future.