{"id":11310,"date":"2025-03-27T09:02:14","date_gmt":"2025-03-27T16:02:14","guid":{"rendered":"https:\/\/jasonsblog.ddns.net\/?p=11310"},"modified":"2025-03-27T09:02:14","modified_gmt":"2025-03-27T16:02:14","slug":"mullvad-android-app-has-successfully-passed-masa-a-standardized-security-assessment-conducted-by-ncc-group","status":"publish","type":"post","link":"https:\/\/jasonsblog.ddns.net\/index.php\/2025\/03\/27\/mullvad-android-app-has-successfully-passed-masa-a-standardized-security-assessment-conducted-by-ncc-group\/","title":{"rendered":"Mullvad Android App Has Successfully Passed MASA, a Standardized Security Assessment, Conducted by NCC Group"},"content":{"rendered":"\n<p>Mullvad VPN continues to have their service tested in their commitment to security and privacy.<\/p>\n\n\n\n<p><a href=\"https:\/\/mullvad.net\/en\/blog\/2025\/3\/27\/successful-security-assessment-of-our-android-app\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/mullvad.net\/en\/blog\/2025\/3\/27\/successful-security-assessment-of-our-android-app<\/a><\/p>\n\n\n<div class=\"wp-block-ub-divider ub_divider ub-divider-orientation-horizontal\" id=\"ub_divider_8ae250b6-9509-443d-9a4a-a11463b76066\"><div class=\"ub_divider_wrapper\" style=\"position: relative; margin-bottom: 2px; width: 100%; height: 2px; \" data-divider-alignment=\"center\"><div class=\"ub_divider_line\" style=\"border-top: 2px solid #ccc; margin-top: 2px; \"><\/div><\/div><\/div>\n\n\n<h3 class=\"wp-block-heading\">Successful security assessment of our Android app<\/h3>\n\n\n\n<p>March 27, 2025 <a href=\"https:\/\/mullvad.net\/en\/blog\/tag\/audits\">External audits<\/a>&nbsp;<\/p>\n\n\n\n<p>Our Android app (version 2024.9) has successfully passed MASA, a standardized security assessment, conducted by NCC Group.<\/p>\n\n\n\n<p>The assessment called&nbsp;<a href=\"https:\/\/appdefensealliance.dev\/masa\" target=\"_blank\" rel=\"noreferrer noopener\">Mobile Application Security Assessment (MASA)<\/a> is part of App Defense Alliance, originally launched by Google but now part of the Linux Foundation.<\/p>\n\n\n\n<p>It is different from our typical app audits (<a href=\"https:\/\/mullvad.net\/blog\/2018\/9\/24\/read-results-security-audit-mullvad-app\/\" target=\"_blank\" rel=\"noreferrer noopener\">2018<\/a>, <a href=\"https:\/\/mullvad.net\/blog\/2020\/6\/25\/results-available-audit-mullvad-app\/\" target=\"_blank\" rel=\"noreferrer noopener\">2020<\/a>, <a href=\"https:\/\/mullvad.net\/blog\/security-audit-report-for-our-app-available\" target=\"_blank\" rel=\"noreferrer noopener\">2022<\/a> and <a href=\"https:\/\/mullvad.net\/blog\/the-report-for-the-2024-security-audit-of-the-app-is-now-available\" target=\"_blank\" rel=\"noreferrer noopener\">2024<\/a>) where we define a threat model and have an audit firm look at our code, binaries and app running on various devices.<\/p>\n\n\n\n<p>Instead, MASA is a standardized black-box assessment against a set of industry recognized security and testing criteria. This means that no code was reviewed during this assessment. It has two assessment levels: Assessment Level 1 (AL1) and Assessment Level 2 (AL2). Both require an authorized independent test lab, but AL2 is bit more in-depth and include a manual assessment in comparison to AL1. In our case we conducted an AL2 assessment using NCC Group as our test lab.<\/p>\n\n\n\n<p>The testing criteria is based on the work of OWASP which continuously develop and publish the following two standards:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/mas.owasp.org\/MASVS\/\" target=\"_blank\" rel=\"noreferrer noopener\">Mobile Application Security Verification Standard (MASVS)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/mas.owasp.org\/MASTG\/\" target=\"_blank\" rel=\"noreferrer noopener\">Mobile Application Security Testing Guide (MASTG)<\/a><\/li>\n<\/ul>\n\n\n\n<p>To summarize the result of the assessment, the Android app passed all controls without the need for any fixes or modifications. You can check out the result in terms of the App Defense Alliance Directory entry <a href=\"https:\/\/appdefensealliance.dev\/directory?app=net.mullvad.mullvadvpn\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a> or directly download the certificate <a href=\"https:\/\/appdefensealliance.dev\/reports\/net.mullvad.mullvadvpn_1740398400000000.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>. As another result of the assessment, our app has now been marked with a Verified badge (also shown as Independently verified and Independent security review) in the Google Play Store.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mullvad VPN continues to have their service tested in their commitment to security and privacy. https:\/\/mullvad.net\/en\/blog\/2025\/3\/27\/successful-security-assessment-of-our-android-app Successful security assessment of our Android app March 27, 2025 External audits&nbsp; Our Android app (version 2024.9) has successfully passed MASA, a standardized security assessment, conducted by NCC Group. The assessment called&nbsp;Mobile Application Security Assessment (MASA) is part of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-11310","post","type-post","status-publish","format-standard","hentry","category-tech"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/11310","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=11310"}],"version-history":[{"count":1,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/11310\/revisions"}],"predecessor-version":[{"id":11311,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/11310\/revisions\/11311"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=11310"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=11310"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=11310"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}