Cure53 audits verify security of ExpressVPN Keys password manager

The third-party audits examined our password manager integrated into the ExpressVPN iOS and Android apps
Magnifying glass over ExpressVPN Keys logo.

Passwords are integral to our digital lives. But the large number of passwords each of us needs to know, combined with the complexity required for passwords to be strong, has led to the development of password managers for safe storage and convenient access.

Earlier this year, we began the beta rollout of ExpressVPN Keys, a password manager included free in the ExpressVPN apps for iOS and Android and as a Chrome browser extension. We see Keys as one component of a secure online experience and designed it to protect users’ login details with zero-knowledge encryption. This means only the user bearing their primary password can access their passwords—even ExpressVPN as the password management provider has no access to them. 

To validate the security of ExpressVPN Keys beyond our internal testing, we invited Cure53 to independently audit ExpressVPN Keys, as integrated into our iOS and Android apps. The audits were part of Cure53’s recent assessments of our Android and iOS mobile apps, which more broadly examined the apps’ security. 

“With privacy and security at the heart of everything we do, we wanted to ensure that ExpressVPN Keys meets the security standards that our VPN users have come to expect,” said Brian Schirmacher, penetration testing manager at ExpressVPN. “Our password manager uses the most advanced encryption in the industry and is designed so that no one except the user can access their own account details and passwords. The positive results from the audits by Cure53 confirm this.”

ExpressVPN Keys: designed with security at its core

The security assessments of our Android and iOS mobile apps were performed via white-box penetration testing and source-code audits. The audit of our Android app was performed in August, and the iOS audit from late August to early September. 

We were pleased to see the highly positive assessment of ExpressVPN Keys. Cure53 identified no vulnerabilities in both apps. The audits revealed only two informational issues on Android, and one informational issue on iOS.

“Given the importance of login credentials to the overall framework, the security of the data at rest was rigorously assessed. In this regard, the cryptographic functions utilized by the password manager to store the credentials garnered a solid impression on the whole,” noted Cure53 in their report.

Our security team addressed all informational issues and reviewed them with Cure53. The positive result is a testament to the password manager’s strong security foundation and represents “an exceptionally positive outcome for the developer team.”

Read Cure53’s audits of our Android app and iOS app.

An audit of the ExpressVPN Keys browser extension has also been completed and can be accessed here.

Our commitment to regular third-party security audits

In the past year, we’ve commissioned audits of our products with greater frequency. Here is a list of our external audits, ordered chronologically:

  • An audit by KPMG of our no-logs policy (September 2022)
  • An audit by Cure53 of our Linux app (August 2022)
  • An audit by Cure53 of our macOS app (July 2022)
  • security audit by Cure53 of our Aircove router (July 2022)
  • A security audit by Cure53 of TrustedServer, our in-house VPN server technology (May 2022) 
  • An audit by F-Secure of our Windows v12 app (April 2022)
  • A security audit by F-Secure of our Windows v10 app (March 2022)
  • A security audit by Cure53 of our VPN protocol Lightway (August 2021)
  • An audit by PwC Switzerland on our build verification process (June 2020)
  • An audit by PwC Switzerland of our privacy policy compliance and our in-house technology TrustedServer (June 2019)
  • A security audit by Cure53 of our browser extension (November 2018)

Note: ExpressVPN Keys is being rolled out gradually and may not be accessible to all users immediately. The beta versions of ExpressVPN Keys are currently available on our app for iOS and Android, and as a Chrome extension. Become a member of our beta program.

Phone protected by ExpressVPN.
Take back control of your privacy

30-day money-back guarantee

A phone with a padlock.
Enjoy a safer online experience with powerful privacy protection
What is a VPN?
ExpressVPN is dedicated to your online security and privacy. Posts from this account will focus on company news or significant privacy and security stories.