Four people from X41 D-Sec performed a penetration test and source code audit of the Mullvad VPN app on all supported platforms for a total of 30 person-days. The audit was performed between 23rd October 2024 and 28th November 2024. The audit report was handed over to Mullvad on 30th November 2024.
Three quotes with key conclusions from the report:
- A total of six vulnerabilities were discovered during the test by X41. None were rated as having a critical severity, three as high, two as medium, and one as low. Additionally, three issues without a direct security impact were identified.
- Overall, the Mullvad VPN Application appear to have a high security level and are well positioned to protect from the threat model proposed in this report. The use of safe coding and design patterns in combination with regular audits and penetration tests led to a very hardened environment.
- In conclusion, the client applications exposed a limited number of relevant vulnerabilities. Mullvad VPN AB addressed them swiftly and the fixes were audited to be working properly.
The final report is available on X41’s website.