The code for ProtonVPN apps on all supported platforms - Android, iOS, macOS, and Windows - is now open source, the maker announces today, a move that follows a security audit from an independent party.

The decision distances the service from all the other options on the market and is in line with the company's belief in ethics, transparency, and security as core values for a trusted VPN (virtual private network) provider.

Sticking to business

When connecting to a VPN, you place your trust in the provider, who acts as an Internet Service Provider (ISP) and has visibility of your online activity and your location.

The number of VPN solutions emerging in the past years has exploded but not all had honest intentions. Privacy and security issues have plagued the world of free VPN mobile apps and the transparency of the providers has often been questioned.

"ProtonVPN changed this by delivering an unparalleled level of transparency and accountability. We have done things differently from the start: We have a strict no-logs policy, we’re based in Switzerland, regulated by some of the world’s strongest privacy laws, we have a deep security background, and we have even opened up our technology for inspection by Mozilla" - Proton Technologies

By releasing the code to public scrutiny, the company ensures that security researchers are free to inspect how everything works. Allowing this broad of an examination helps find potential bugs quicker and increases the chances of fixing them before threat actors start abusing them.

ProtonVPN code is available on GitHub for Android, iOS, macOS, and Windows.

Security audit results

Before making ProtonVPN code public, the company contracted a security audit from cybersecurity consultant SEC Consult. The result is far from worrisome.

The scope of the audit was not comprehensive and it was to determine if ProtonVPN solutions protect user privacy and if an attacker can access data belonging to other customers or use features reserved to a paid account without making an upgrade.

The macOS app tested best as following an initial code review the researchers found no vulnerabilities in the source code and the app.

In ProtonVPN for Windows, SEC Consult found in the reviewed code and the app two medium-risk bugs and two low-risk issues. None could be used to decrypt the traffic, though.

An attacker with physical access to the computer could obtain user-related information from debug routines or memory dumps.

In the code for Android, the researchers discovered one medium-risk vulnerability and four low-risk ones. Some issues relate to the certificate validation in encrypted communication but did not lead to traffic decryption. With physical access, user data could be obtained from debug routines.

The researchers identified two low-risk vulnerabilities in the code for iOS and a certificate validation issue but could not be used to decrypt traffic. Furthermore, SEC Consult did not find problems that would allow access to user data to an attacker with physical access.

Proton Technologies received complete reports for all the problems identified in this initial security review from SEC Consult.