Atlas VPN completes its first independent security audit
Even security companies need security checks. That's why, we chose the world-leading independent cybersecurity experts from VerSprite to test Atlas VPN. This time we focused on our iOS app, and we're very pleased with the results.
According to the Head of Offensive Security at VerSprite "The blackbox analysis during the Application Penetration Test of the Atlas VPN iOS client and its public backend components highlighted just a few Medium-to-Low risk issues, which proved fruitless to compromise the privacy of the users. I commend Atlas VPN for their transparency in sharing their findings with their customers."
Putting our security to the test
In April, VerSprite, an industry-leading cybersecurity consulting firm, performed an Application Penetration Test on the Atlas VPN iOS app version 2.9.0 and supporting APIs. During the test, they simulated real-world cyberattack scenarios to check for any vulnerabilities that could put "data privacy, authenticity, integrity, and overall business reputation" at risk.
In other words, VerSprite was looking for ways to hack our iOS app. But instead of exploiting any vulnerabilities they found, VerSprite reported them to us.
After examining the Atlas VPN iOS app, independent experts found a total of five vulnerabilities:
- 2 medium-level threats that affect the Atlas VPN backend service
- 3 low-level threats that affect the iOS App itself
Low and medium-level threats provide only limited access to sensitive data and app control. These types of threats can be taken advantage of when combined with other types of vulnerabilities, typically of a higher level.
One of the medium and one of the low-level threats detected on the Atlas iOS app relate to malicious actors being able to bypass Premium account subscription features and use them without the actual Premium account.
The Atlas VPN iOS App also does not enforce certificate validation, which could allow an attacker to force the client application to connect to a rogue VPN server not controlled by us. Although VerSprite was not able to perform such an attack, certificate validation is something we have to enforce.
The remaining vulnerabilities include the possibility of running the Atlas iOS app on jailbroken devices and taking advantage of the session tokens used in links sent to Atlas users when signing up to get access to users' accounts.
Meanwhile, high and critical level threats, as their names suggest, are much more severe. Cybercriminals can exploit such threats to gain direct access to sensitive user data, business information or even compromise the app itself.
We're happy to announce that no high or critical level threats were found on the Atlas VPN iOS app and supporting APIs.
What are we doing about it?
We believe that regular product security testing should be an integral part of any product and service security strategy. While low and medium threats do not pose serious risks to Atlas VPN service and users, eliminating any of the security vulnerabilities found on our iOS app is the number one priority on our list.
As soon as we received our iOS app audit results, we rolled up our sleeves and started fixing the identified vulnerabilities. But just as we value the safety of our users, we also value transparency. That's why, we decided to share Atlas VPN iOS app audit results immediately after making sure that the vulnerabilities identified posed risks that would be managed and mitigated.
Most importantly, we want to stress that Atlas VPN iOS app is safe to use. An independent audit simply helped us identify how we could improve our security practices even further.
We also hope it reassures our users that we're not just a bunch of smoke and mirrors. We stand by our words and take the safety and privacy of our users seriously.
While the iOS app audit is the first we've ever done, we plan to make independent security testing a part of our regular security practices.
We wish you a safe online journey!
Cybersecurity Researcher and Publisher at Atlas VPN. Interested in cybercrime, online security, and privacy-related topics.