Mullvad has announced that its Android VPN application has successfully passed the Mobile Application Security Assessment (MASA) for a second consecutive year.
The assessment identified several minor issues, all of which were addressed in a subsequent release, resulting in a successful compliance outcome.
The security assessment examined Mullvad's Android app version 2026.2 against the Mobile App Profile (MAP), a standardized security framework used within Google's App Defense Alliance ecosystem. Leviathan Security Group was the cybersecurity firm responsible for performing the independent evaluation.
MASA assessments are designed to verify that mobile applications follow secure development practices across areas such as data protection, authentication, cryptography, privacy transparency, and application security. VPN providers have increasingly sought MASA validation as Google expands its security review initiatives for apps distributed through the Play Store.
Mullvad is a Sweden-based privacy-focused VPN provider known for its minimal data collection practices and anonymous account model. The company allows users to create accounts without providing an email address and has built a reputation around privacy-centric design decisions and transparency.
Audit findings
During the initial assessment, auditors identified six findings. Mullvad said one of those findings was determined to be a false positive and another was deemed not applicable. The remaining issues were addressed and re-tested in version 2026.3-beta3, which was later released as version 2026.3.
One of the findings involved Android PendingIntent objects that had been configured as mutable when they could have been immutable. While Mullvad stated that the issue posed limited risk due to the application's restricted intent functionality, the company agreed with the assessment and updated the affected components to use immutable intents.
Another issue concerned the handling of sensitive information within the user interface. Auditors found that account numbers entered on the login screen were displayed in plain text, and passwords used when configuring custom API access methods were also visible. Mullvad acknowledged that these fields should be protected against shoulder-surfing attacks and modified the application so that sensitive data is masked by default.
The assessment also highlighted a transparency issue where, after introducing support for in-app purchases through the Play Store, Mullvad failed to update its Google Play data collection declarations accordingly. The company stores a temporary link between a purchase and an account for up to 20 days to facilitate refunds, a practice already described in its privacy policy. Following the review, Mullvad updated its Google Play listing to include purchase history information within the platform's Data Safety section.
A final compliance issue involved the lack of an in-app account deletion mechanism. Mullvad said this omission was intentional because it considered account deletion to provide limited practical value while potentially creating opportunities for accidental or malicious account removals. Nevertheless, MAP requirements mandate an in-app deletion option, prompting the company to implement the feature.
In early 2025, Google introduced a “Verified” badge for VPN apps that successfully complete MASA Level 2 validation and meet additional eligibility criteria. The initiative builds on the existing Independent Security Review program, helping users identify VPN services that have undergone external security scrutiny.
Mullvad noted that its application is listed in the App Defense Alliance directory as independently reviewed. The company said Google has not yet published the corresponding certificate, but plans to make it available once issued. Technical summaries, test reports, and compliance documentation related to the assessment have also been published in Mullvad's GitHub repository.
Leave a Reply