ProtonVPN apps handed to open source community in transparency push
ProtonVPN has handed over application code to the open source community in a bid to improve transparency and security standards.
On Tuesday, the virtual private network (VPN) provider, also known for the ProtonMail secure email service, said that the code backing ProtonVPN applications on every system — Microsoft Windows, Apple macOS, Android, and iOS — is now publicly available for review in what Switzerland-based ProtonVPN calls “natural” progression.
“There is a lack of transparency and accountability regarding who operates VPN services, their security qualifications, and whether they fully conform to privacy laws like GDPR,” the company says. “Making all of our applications open source is, therefore, a natural next step.”
Each application has also undergone a security audit by SEC Consult, which ProtonVPN says builds upon a previous partnership with Mozilla.
Back in 2018, Mozilla ran a trial with a small number of US-based Mozilla Firefox browser users to offer ProtonVPN as a recommended service to protect their privacy and mask online activity.
While the partnership did not go any further — instead, Mozilla has created its own Firefox Private Network — the trial did require ProtonVPN’s technology to undergo an inspection by the browser as part of Mozilla’s due diligence requirements.
The Windows audit report (.PDF) identified two low-risk vulnerabilities related to jailbreaking and a lack of SSL certificate pinning. The macOS report (.PDF) uncovered no bugs at all, whereas one medium-risk vulnerability and four low-risk vulnerabilities were discovered in the Android audit (.PDF), the worst of which was an insecure logout issue.
Finally, the iOS report (.PDF) documents two medium-risk vulnerabilities and two low-risk vulnerabilities, the most serious security flaw being the use of hardcoded credentials and sensitive data contained in memory.
All of the vulnerabilities were either accepted or fixed at the time of disclosure.
“As a community-supported organization, we have a responsibility to be as transparent, accountable, and accessible as possible,” ProtonVPN says. “Going open source helps us to do that and serve you better at the same time.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0