Return to protonvpn.com Facebook   Twitter   Reddit   Instagram   Mastodon   ProtonMail

All ProtonVPN apps are now open source and audited

Posted on January 21st, 2020 by in Articles & News.

illustration of protonvpn open source

 

We’re happy to be the first VPN provider to open source apps on all platforms (Windows, macOS, Android, and iOS) and undergo an independent security audit. Transparency, ethics, and security are at the core of the Internet we want to build and the reason why we built ProtonVPN in the first place.

We launched ProtonVPN in 2017 to provide ProtonMail users with a trustworthy VPN service, which was increasingly necessary given the rise of Internet censorship. VPN in particular was an area in dire need of improvement. Studies have found that over one-third of Android VPNs actually contain malware, many VPNs suffered from major security lapses, and many free VPN services that claimed to protect privacy are secretly selling user data to third parties. In general, there is also a lack of transparency and accountability regarding who operates VPN services, their security qualifications, and whether they fully conform to privacy laws like the GDPR.  

ProtonVPN changed this by delivering an unparalleled level of transparency and accountability. We have done things differently from the start: We have a strict no-logs policy, we’re based in Switzerland, regulated by some of the world’s strongest privacy laws, we have a deep security background, and we have even opened up our technology for inspection by Mozilla.

Making all of our applications open source is therefore a natural next step. As former CERN scientists, publication and peer review are a core part of our ethos. We are also publishing the results of independent security audits covering all of our software.

You can find the open source code and audit reports here:

Why it’s important to use an open source VPN

When you choose to use a virtual private network, you are placing an extraordinary amount of faith in that service provider. Here’s why:

When you are not connected to a VPN, your unencrypted Internet traffic (i.e., that which is not protected by TLS) may be intercepted by your WiFi provider, by your Internet service provider (ISP), by hackers monitoring the local network, or by the government authorities in your jurisdiction. Your IP address (i.e. your device’s identity and your geographical location) is also exposed, including to the websites you visit, which can use that information to track you across the Internet. Even encrypted traffic can be monitored to observe the websites you visit, and your IP address will remain exposed.

When you connect to a VPN, your Internet traffic is encrypted between your device and the VPN server, protecting it from local network surveillance. Even your DNS lookups (the names of the web domains you visit) are protected. And your IP address is masked to help protect your identity and location. However, the VPN provider effectively becomes your ISP in that it can see your browsing activity, IP address, and location. This is why choosing a trustworthy VPN service is so important.

A VPN application, therefore, has a lot of privileged access to your device and your online activity. Open source code allows security researchers and the global security community to inspect how we implement encryption and how we handle your data, giving you more certainty that we are adhering to our strict privacy policy. Open source code provides security through transparency, meaning that because the code is heavily scrutinized, potential vulnerabilities are quickly spotted and fixed. This reduces the risk of a security vulnerability in a VPN app putting you at risk. 

In contrast, proprietary code relies on “security through obscurity,” meaning vulnerabilities are less likely to be discovered. Or worse, these vulnerabilities may be only known to malicious actors who exploit them secretly without users being aware. 

When it comes to online privacy and security software, we believe free and open source software is better for safety and provides better accountability to our user community. Open source has long been at the core of Proton, and our open source software ranges from ProtonMail clients to fundamental encryption libraries, such as OpenPGPjs, which power a significant fraction of encrypted applications on the web today, serving tens of millions of users. We are committed to open sourcing all of our client-facing software. 

Third-party security audits

Another unique quality of ProtonVPN is our commitment to having independent security researchers inspect our software before releasing it publicly. Previously, Mozilla reviewed our implementations, organizational structure, and our technology as part of their due diligence for a partnership with us. 

Since then, we have initiated more thorough security-focused audits for all our clients. We contracted SEC Consult, a leading security firm, to conduct the audits. Although such audits are expensive and time-consuming, we believe these are a critical step that must go together with open sourcing our code. Going forward, we will continue to do audits on an ongoing basis to have continual independent checks on our application security.

Working with the Proton community

The other important benefit of open sourcing our software is that it furthers our overall mission to build an Internet that’s more secure, private, and free by leveraging the power of the community. Security improvements can now be submitted by developers from around the world through our bug bounty program. And in some cases even features improvements from the community may be incorporated into the official ProtonVPN apps, similar to what we have done previously with the official ProtonVPN Linux client

As a community-supported organization, we have a responsibility to be as transparent, accountable, and accessible as possible. Going open source helps us to do that and serve you better at the same time. 

Your feedback and suggestions have become a vital source of ideas and inspiration for us, and we will continue working to meet your expectations in 2020 and beyond. We will be launching new servers all over the world, improving security, and releasing new features to keep you safe and help you bypass censorship. None of what we have achieved to date could have been done without our community.

Thank you for your support!

Best Regards,
The ProtonVPN Team

Follow us on social media to stay up to date on the latest ProtonVPN news:

Twitter | Facebook | Reddit | Instagram

To get a free ProtonMail encrypted email account, visit: protonmail.com

Andy is a founder of Proton Technologies, the organization behind ProtonVPN and ProtonMail. He is a long time advocate of privacy rights and has spoken at TED, SXSW, and the Asian Investigative Journalism Conference about online privacy issues. Previously, Andy was a research scientist at CERN and has a PhD in Particle Physics from Harvard University. You can watch his TED talk online to learn more about our mission.

Post Comment

15 comments

  1. José Luis

    Wonderful news. I can’t understand how there’s people who say they “trust” their VPN provider despite only their providers know what their closed source apps really do with the clients’ traffic. Maybe my data are securely encrypted once they leave my device, but what happened before the encryption, did the app do something “fishy” with my data? With ProtonVPN app now code-literate people from all the world can check the code, and all of us can be much more sure that our data is just encrypted and sent where it’s intended. Without transparency there’s no trustable security/privacy.
    Thanks a lot, and I hope that others shall follow this path you have open.

  2. Richie Koch

    You are quite right José, a closed source app requires trust, while an open source app allows anyone to verify the code the app is running. Making all our apps open source has long been a priority for just this reason. And we also hope that the fact we open sourced our applications helps encourage other services to open source their apps as well. Cheers!

  3. iman

    Wow! i was in love with proton mail and vpn and now you guys just made me to love it more!!
    thanks to all of you guys behind proton mail and vpn

  4. Richie Koch

    Thank you for your kind words! We won’t stop until everyone has access to a private and secure Internet.

  5. On Vam Ne Dimon :-)

    Awesome! Russia love Proton! 🙂

  6. Jim Boyaga

    Already a free and paid email client, but now will be paying for vpns too.

  7. Richie Koch

    Thank you! Your support will allow us to continue developing ProtonVPN.

  8. Jelle Mulckhuijse

    Are the audit reports something you want to share with the community?

  9. Richie Koch
  10. TheByteCrasher

    Wow, awesome news. So this means that your VPN under-layer can be used by others?
    And thank you for giving contribution to open source with this.
    Best wishes to Proton VPN team.

  11. Tasupporter

    This is fantastic news! Congratulations! This step is very important! And even more under GPL!
    It’s a move we’ve been waiting for and further enhances our arguments for you. I also see that you also provide an interesting and very nice documentation.

  12. Richie Koch

    Thank you very much! This has long been a priority for us and we’re happy to have seen it through.

  13. Phydeaux

    Congratulations on releasing your VPN solutions as Free Software! Even better than mere “open sores”!

  14. PlusSubscriber

    That’s great news!
    Do you know when Proton Mail and Proton VPN will be available on f-droid?

  15. Ben Wolford

    We can’t give you a timeline at the moment, but this is a priority for us.

Leave a Reply

Your email address will not be published. Required fields are marked *

Knowledge base

 

Secure Your Internet Today

Get ProtonVPN