ProtonVPN apps handed to open source community in transparency push

ProtonVPN has handed over application code to the open source community in a bid to improve transparency and security standards. 

On Tuesday, the virtual private network (VPN) provider, also known for the ProtonMail secure email service, said that the code backing ProtonVPN applications on every system -- Microsoft Windows, Apple macOS, Android, and iOS -- is now publicly available for review in what Switzerland-based ProtonVPN calls "natural" progression.

"There is a lack of transparency and accountability regarding who operates VPN services, their security qualifications, and whether they fully conform to privacy laws like GDPR," the company says. "Making all of our applications open source is, therefore, a natural next step."

Each application has also undergone a security audit by SEC Consult, which ProtonVPN says builds upon a previous partnership with Mozilla. 

Back in 2018, Mozilla ran a trial with a small number of US-based Mozilla Firefox browser users to offer ProtonVPN as a recommended service to protect their privacy and mask online activity. 

See also: Antivirus vendors push fixes for EFS ransomware attack method

While the partnership did not go any further -- instead, Mozilla has created its own Firefox Private Network -- the trial did require ProtonVPN's technology to undergo an inspection by the browser as part of Mozilla's due diligence requirements.

CNET: Clearview app lets strangers find your name, info with snap of a photo, report says

The Windows audit report (.PDF) identified two low-risk vulnerabilities related to jailbreaking and a lack of SSL certificate pinning. The macOS report (.PDF) uncovered no bugs at all, whereas one medium-risk vulnerability and four low-risk vulnerabilities were discovered in the Android audit (.PDF), the worst of which was an insecure logout issue. 

Finally, the iOS report (.PDF) documents two medium-risk vulnerabilities and two low-risk vulnerabilities, the most serious security flaw being the use of hardcoded credentials and sensitive data contained in memory.

All of the vulnerabilities were either accepted or fixed at the time of disclosure. 

TechRepublic: Bug bounties won't make you rich (but you should participate anyway)

The source code for each app is now available on GitHub (Windows, macOS, Android, iOS). 

"As a community-supported organization, we have a responsibility to be as transparent, accountable, and accessible as possible," ProtonVPN says. "Going open source helps us to do that and serve you better at the same time."

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

• Did you really 'like' that? How Chameleon attacks spring in Facebook, Twitter, LinkedIn
  
• UK's HMRC tax authority seeks tools to track down cryptocurrency criminals
  
• FTCODE ransomware is now armed with browser, email password stealing features
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0