Cure53 audits verify security of ExpressVPN Keys password manager

The third-party audits examined our password manager integrated into the ExpressVPN iOS and Android apps, as well as the Keys browser extension for Chrome.
ExpressVPN news
9 mins
Magnifying glass over ExpressVPN Keys logo.

Update: We originally published this post on December 13, 2022, to announce the audit of ExpressVPN Keys in our apps for iOS and Android. We’ve since updated it to reflect the completion of the audit of the Keys browser extension for Chrome. This means Keys is now fully audited on all platforms.

Passwords are integral to our digital lives. But the large number of passwords each of us needs to know, combined with the complexity required for passwords to be strong, has led to the development of password managers for safe storage and convenient access.

Earlier this year, we began the beta rollout of ExpressVPN Keys, a password manager included free in the ExpressVPN apps for iOS and Android and as a Chrome browser extension. We see Keys as one component of a secure online experience and designed it to protect users’ login details with zero-knowledge encryption. This means only the user bearing their primary password can access their passwords—even ExpressVPN as the password management provider has no access to them. 

To validate the security of ExpressVPN Keys beyond our internal testing, we invited Cure53 to independently audit ExpressVPN Keys. The security firm audited Keys as integrated into our iOS and Android apps—part of a broader security assessments of our two mobile apps. Cure53 also separately examined the Keys browser extension for Chrome.

“With privacy and security at the heart of everything we do, we wanted to ensure that ExpressVPN Keys meets the security standards that our VPN users have come to expect,” said Brian Schirmacher, penetration testing manager at ExpressVPN. “Our password manager uses the most advanced encryption in the industry and is designed so that no one except the user can access their own account details and passwords. The positive results from the audits by Cure53 confirm this.”

ExpressVPN Keys: designed with security at its core

The security assessments of the Keys browser extension for Chrome, Android app, and iOS app were performed via white-box penetration testing and source-code audits. The audit of our Android app was performed in August, the iOS audit from August to September, and the browser extension audit from September to October. 

“Given the importance of login credentials to the overall framework, the security of the data at rest was rigorously assessed. In this regard, the cryptographic functions utilized by the password manager to store the credentials garnered a solid impression on the whole,” noted Cure53.

Our security team addressed all issues and reviewed them with Cure53. The positive result is a testament to the password manager’s strong security foundation and represents “an exceptionally positive outcome for the developer team.”

Read Cure53’s assessment of Keys, including the audits of our Android app, iOS app, and Chrome browser extension.

Our commitment to regular third-party security audits

In the past year, we’ve commissioned audits of our products with greater frequency. Here is a list of our external audits, ordered chronologically:

  • An audit by KPMG of our no-logs policy (September 2022)
  • An audit by Cure53 of our Linux app (August 2022)
  • An audit by Cure53 of our macOS app (July 2022)
  • security audit by Cure53 of our Aircove router (July 2022)
  • A security audit by Cure53 of TrustedServer, our in-house VPN server technology (May 2022) 
  • An audit by F-Secure of our Windows v12 app (April 2022)
  • A security audit by F-Secure of our Windows v10 app (March 2022)
  • A security audit by Cure53 of our VPN protocol Lightway (August 2021)
  • An audit by PwC Switzerland on our build verification process (June 2020)
  • An audit by PwC Switzerland of our privacy policy compliance and our in-house technology TrustedServer (June 2019)
  • A security audit by Cure53 of our browser extension (November 2018)

Note: ExpressVPN Keys is being rolled out gradually and may not be accessible to all users immediately. The beta versions of ExpressVPN Keys are currently available on our app for iOS and Android, and as a Chrome extension. Become a member of our beta program.

Phone protected by ExpressVPN.
Take back control of your privacy

30-day money-back guarantee

A phone with a padlock.
Enjoy a safer online experience with powerful privacy protection
What is a VPN?
ExpressVPN is dedicated to your online security and privacy. Posts from this account will focus on company news or significant privacy and security stories.