Pentest-Report Mullvad VPN & Servers 11.-12.2020

“Mullvad VPN AB is owned by parent company Amagicom AB. The name Amagicom isderived from the Sumerian word ama-gi – the oldest word for “freedom“ or, literally,“back to mother” in the context of slavery – and the abbreviation for communication.Amagicom stands for “free communication”.”

This document is dedicated to a presentation of a security-centered project carried outby Cure53 for Mullvad. More specifically, the report describes the results of a thoroughand comprehensive penetration test and source code audit against the Mullvad VPNservers, infrastructure and related web applications and other exposed services. Theproject was completed in late 2020

https://cure53.de/pentest-report_mullvad_2021_v1.pdf

#pentest #mullvad #vpn #report #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Android leaks connectivity check traffic

An ongoing security audit of our app identified that Android leaks certain traffic, which VPN services cannot prevent. The audit report will go public soon. This post aims to dive into the finding, called MUL22-03.

We researched the reported leak, and concluded that Android sends connectivity checks outside the VPN tunnel. It does this every time the device connects to a WiFi network, even when the Block connections without VPN setting is enabled.

We understand why the Android system wants to send this traffic by default. If for instance there is a captive portal on the network, the connection will be unusable until the user has logged in to it. So most users will want the captive portal check to happen and allow them to display and use the portal. However, this can be a privacy concern for some users with certain threat models. As there seems to be no way* to stop Android from leaking this traffic, we have reported it on the Android issue tracker.

https://mullvad.net/en/blog/2022/10/10/android-leaks-connectivity-check-traffic
#Android #VPN #mullvad