ExpressVPN Puts Its Privacy Tools to the Test in 27th Independent Security Audits – Here’s What Cure53 Discovered
Published
Key Takeaways
- ExpressVPN 27th security audits: Cure53 reviewed ExpressMailGuard and Identity Defender, finding no Critical or High vulnerabilities.
- Identity Defender findings: Researchers identified seven vulnerabilities involving logging, session handling, and storage protections.
- Privacy tool expansion: ExpressVPN says all products handling user data now undergo independent security assessments.
ExpressVPN has announced the completion of two new independent security audits for its privacy-focused products, ExpressMailGuard and Identity Defender. The audits were conducted by Berlin-based cybersecurity firm Cure53 and bring the company’s total number of published independent security audits to 27.
According to ExpressVPN, the latest reviews are part of its broader effort to have every product that handles user data independently tested and verified by external security researchers.
Cure53 Reviewed ExpressMailGuard and Identity Defender
The latest audits focused on two of ExpressVPN’s newer privacy-oriented services.
ExpressMailGuard is an email aliasing platform that allows users to create disposable or alternative email addresses instead of exposing their primary inboxes to websites and online services. Messages sent to aliases are forwarded to the user’s real email address while helping reduce spam, tracking, and data exposure.
Cure53 reviewed ExpressMailGuard’s web application, email routing infrastructure, and supporting backend systems. The assessment focused on email deletion guarantees, metadata handling, and whether the service could inadvertently enable communication profiling.
Following 18 days of testing, Cure53 described ExpressMailGuard as having a “relatively strong and mature security posture.” The auditors reported two vulnerabilities and 11 miscellaneous issues, with no High or Critical severity findings. ExpressVPN stated that all reported issues were remediated and later verified by Cure53.
The second assessment covered Identity Defender, ExpressVPN’s identity monitoring and data removal platform currently available in the United States. The service is designed to monitor signs of identity theft, including suspicious financial activity, public record changes, breach exposure, and data broker listings, while also automating removal requests from broker databases.
Cure53 spent 14 days conducting white-box penetration testing and source code audits against the Android and iOS applications, as well as backend authentication, single sign-on (SSO), personally identifiable information (PII) handling, and secure storage mechanisms.
The audit identified 11 findings in total, including seven security vulnerabilities and four miscellaneous weaknesses. No High or Critical severity vulnerabilities were discovered, though several Medium-severity issues were reported across authentication, inter-process communication (IPC), deep link handling, secure storage, and logging systems.
ExpressVPN said all findings were fixed and later verified through Cure53’s retesting process.
Findings Included Session Fixation, Deep Link Risks, and Sensitive Data Exposure
One of the most significant findings involved the app’s Android inter-app login mechanism. Cure53 discovered that the Identity Defender application trusted any installed app exposing the com.expressvpn.vpn content provider authority without verifying its digital signature.
According to the report, a malicious application could exploit this behavior to supply attacker-controlled OAuth refresh tokens and trigger a session fixation attack, potentially causing victims to unknowingly authenticate into an attacker-controlled account.
Researchers also identified an open redirect vulnerability in the application’s deep link handling system. The issue stemmed from insufficient validation of the magicLinkUrl parameter within the app’s expressidd:// custom scheme handler. Cure53 noted that attackers could potentially redirect users to arbitrary domains inside the app’s internal WebView, increasing phishing risks by leveraging the trusted application context.
The audit further highlighted problems related to session management and local authentication. Cure53 observed that the application automatically restored active sessions after launch or resume without requiring biometric authentication or PIN verification. The issue was compounded by the use of long-lived OAuth refresh tokens that lacked an exp expiration claim during testing.
Additional findings focused on the handling of sensitive information inside application logs. Cure53 reported that multiple internal services logged raw JWT claims, OAuth authorization links, purchase tokens, customer email addresses, user attributes, and push notification payloads. The auditors also stated that the application’s PII redaction system relied on narrow regular expression patterns that failed to consistently detect alternate formats of phone numbers, Social Security numbers, payment card data, Base64 payloads, and JSON-encoded personal information.
The report also identified:
- A TOCTOU race condition in the secure storage service that could potentially cause data corruption or storage inconsistencies
- Insecure plaintext storage of a persistent global identifier known as the KRN, enabling long-term identity correlation and tracking risks
- Weak iOS Keychain protection settings caused by missing
IOSOptionsconfiguration in FlutterSecureStorage - Lack of authentication enforcement for certain deep links, potentially exposing restricted UI components to unauthenticated users
- Support for outdated Android and iOS versions that no longer consistently receive security updates
- Android backup behavior that could permit local data extraction on older Android versions where
android:allowBackupdefaults totrue
Despite the findings, Cure53 stated that no major architectural weaknesses were discovered in the application’s core business logic services. However, the firm described the overall security posture of Identity Defender as “slightly below average” due to the number and nature of the identified issues, even though no High or Critical vulnerabilities were present.
The report specifically recommended improvements to IPC trust validation, deep link authorization, session security, local authentication enforcement, secure storage hardening, and sensitive data handling practices.
ExpressVPN Says Independent Reviews Remain Part of Its Privacy Strategy
ExpressVPN said the audits are part of a wider push to build what it describes as a “verified privacy stack” covering multiple products beyond its VPN service.
The company stated that its product lineup now includes ExpressVPN for encrypted internet connections, ExpressKeys for password management, ExpressAI for private AI interactions, ExpressMailGuard for email aliasing, and Identity Defender for identity monitoring and data removal.
Aaron Engel, Chief Security Officer at ExpressVPN, said the company views independent audits as an ongoing process rather than a one-time certification effort.
“Every product we build that touches user data gets handed to independent researchers whose job is to break it,” Engel said.
The full Cure53 audit reports, along with ExpressVPN’s previous audit history and ISO certifications, are available through the company’s Trust page.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular