{"id":17426,"date":"2026-06-01T08:23:11","date_gmt":"2026-06-01T15:23:11","guid":{"rendered":"https:\/\/jasonsblog.ddns.net\/?p=17426"},"modified":"2026-06-01T08:23:11","modified_gmt":"2026-06-01T15:23:11","slug":"2026-security-assessment-of-mullvad-android-app","status":"publish","type":"post","link":"https:\/\/jasonsblog.ddns.net\/index.php\/2026\/06\/01\/2026-security-assessment-of-mullvad-android-app\/","title":{"rendered":"2026 Security Assessment of Mullvad Android App"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">The security audit for the <a href=\"https:\/\/mullvad.net\/en\" target=\"_blank\" rel=\"noreferrer noopener\">Mullvad VPN<\/a> Android App, which is my trusted VPN provider where you can sign up anonymously and pay with Bitcoin, Lightning or Monero for extra privacy. And they have a great Android and Linux app for managing connection, along with a lot of other privacy features for connecting where use is restricted, multihop, and obfuscation for AI traffic analysis&#8230;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/mullvad.net\/en\/blog\/2026\/6\/1\/2026-security-assessment-of-our-android-app\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/mullvad.net\/en\/blog\/2026\/6\/1\/2026-security-assessment-of-our-android-app<\/a><\/p>\n\n\n<div class=\"wp-block-ub-divider ub_divider ub-divider-orientation-horizontal\" id=\"ub_divider_83ce2850-9502-4166-9b71-cba778d2c075\"><div class=\"ub_divider_wrapper\" style=\"position: relative; margin-bottom: 2px; width: 100%; height: 2px; \" data-divider-alignment=\"center\"><div class=\"ub_divider_line\" style=\"border-top: 2px solid #ccc; margin-top: 2px; \"><\/div><\/div><\/div>\n\n\n<p class=\"wp-block-paragraph\">Our Android app has for the second time passed MASA, a standardized security assessment, conducted by <a href=\"https:\/\/www.leviathansecurity.com\/\">Leviathan Security Group<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Following <a href=\"https:\/\/mullvad.net\/blog\/successful-security-assessment-of-our-android-app\">last year\u2019s assessment<\/a> we\u2019ve recently conducted the <a href=\"https:\/\/appdefensealliance.dev\/masa\">Mobile Application Security Assessment (MASA)<\/a> to further ensure our compliance with modern secure mobile app development. It checked version 2026.2 of our app against the <a href=\"https:\/\/github.com\/appdefensealliance\/ASA-WG\/blob\/v1.0\/Mobile%20App%20Profile\/Mobile%20App%20Specification.md\">Mobile App Profile (MAP) specification <\/a>and identified a few minor&nbsp;issues. These issues were addressed in version 2026.3-beta3 (later released as 2026.3), which resulted in a pass for our app.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Overview of findings<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The initial testing round identified six issues, of which one <a href=\"https:\/\/github.com\/mullvad\/mullvadvpn-app\/blob\/672c88023a8a483c4b16fe1698d671749245bedb\/audits\/2026-02-17-leviathan-masa.md#1621-the-app-only-uses-software-components-without-known-vulnerabilities\">false-positive<\/a> and one <a href=\"https:\/\/github.com\/mullvad\/mullvadvpn-app\/blob\/672c88023a8a483c4b16fe1698d671749245bedb\/audits\/2026-02-17-leviathan-masa.md#1631-compiler-security-features-shall-be-enabled\">not applicable<\/a>. Here\u2019s an overview of the addressed issues that were also re-tested against version 2026.3-beta3.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">1.5.1.4 All Pending Intents shall be immutable or otherwise justified for mutability<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">A few <code>PendingIntents<\/code> were incorrectly marked as mutable, however we do not believe it posed much risk to our users since the app has very limited intent capabilities.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Conclusion<\/strong>: We agree with the finding and the intents have been changed to immutable.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">1.5.3.1 The app shall by default mask data in the User Interface when it is known to be sensitive<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">On the login screen the account number input was not hidden, and instead was shown in plain text. When adding or editing a custom API access method the password was also shown in plain text.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Conclusion<\/strong>: We agree that those inputs should be masked to protect against shoulder surfing attacks so we\u2019ve updated the UI to hide the sensitive input by default.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">1.8.2.1 The app shall be transparent about data collection and usage<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">After adding support for in-app purchases via Google Play, our data collection policy on Google Play was inadvertently overlooked. To enable refunds we store a link between a purchase and an account for 20 days, as described in our <a href=\"https:\/\/mullvad.net\/help\/privacy-policy\">privacy policy<\/a>, this applies to Play Store purchases as well.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Conclusion<\/strong>: Our Google Play listing has been updated with Purchase history in the Data collection section to be as transparent as possible.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">1.8.3.1 Users shall have the ability to request their data to be deleted via an in-app mechanism<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Our app did not provide an in-app mechanism to delete accounts. This was by design due to the way our app and service works. We don\u2019t believe it adds much value but rather opens up for abuse or mistakes. Instead we have mechanisms to continuously delete the little data we have, e.g. the link between accounts and payments that\u2019s needed to enable refunds. More about this in our <a href=\"https:\/\/mullvad.net\/help\/privacy-policy\">privacy policy<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Conclusion<\/strong>: We\u2019ve implemented in-app account deletion to meet the MAP specification.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Read the report<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">You can check out the official App Defense Alliance Directory entry <a href=\"https:\/\/appdefensealliance.dev\/directory?app=net.mullvad.mullvadvpn\">here<\/a> and see that the app is independently reviewed in the Google Play Store. Unfortunately Google has not published the certificate yet, but once available it will be directly accessible using <a href=\"https:\/\/appdefensealliance.dev\/reports\/net.mullvad.mullvadvpn_1775779200000000.pdf\">this link<\/a>. You can also check out a more technical summary as well as test reports and the compliance report in <a href=\"https:\/\/github.com\/mullvad\/mullvadvpn-app\/blob\/main\/audits\/2026-02-17-leviathan-masa.md\">our GitHub repository<\/a>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Last words<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">We would like to thank Leviathan for the thorough assessment. The communication was professional, and the assessment was carried out to a high standard and provided us with valuable insights.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The security audit for the Mullvad VPN Android App, which is my trusted VPN provider where you can sign up anonymously and pay with Bitcoin, Lightning or Monero for extra privacy. And they have a great Android and Linux app for managing connection, along with a lot of other privacy features for connecting where use [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-17426","post","type-post","status-publish","format-standard","hentry","category-tech"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17426","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=17426"}],"version-history":[{"count":1,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17426\/revisions"}],"predecessor-version":[{"id":17427,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17426\/revisions\/17427"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=17426"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=17426"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=17426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}