The Tor Project has published the results of a third-party security audit of its upcoming Tor VPN for Android, confirming that its core privacy architecture is sound.
However, several weaknesses, primarily tied to DNS handling and input validation, were uncovered and require remediation.
The assessment was conducted by German security firm Cure53 in June 2025. The audit covered both the Tor VPN Android app and Onionmasq, a Rust-based networking layer that handles traffic routing, DNS resolution, and interfaces with the Arti Tor client.
Cure53 performed a “crystal-box” penetration test and source code audit over a two-week period, analyzing the full codebase with access to internal materials. The team identified 18 issues in total, of which only four were classified as exploitable vulnerabilities, with the remainder categorized as lower-risk weaknesses or hardening opportunities. Importantly, the auditors found no fundamental flaws in the establishment of Tor tunnels or in traffic routing.
The Tor Project, a nonprofit organization best known for developing privacy-preserving tools such as the Tor Browser and maintaining the Tor network, has been expanding its mobile offerings recently. Tor VPN represents a significant step toward making network-wide Tor protection more accessible on smartphones, extending anonymity protections beyond the browser level.
Most of the identified issues cluster around two key areas: insufficient input validation and weaknesses in DNS resolver design. Several vulnerabilities could allow denial-of-service (DoS) conditions under specific circumstances. For example, the Onionmasq DNS implementation lacks rate limiting and cache expiration, enabling attackers to flood the resolver with requests and exhaust system memory. Additional flaws in IPv4 address allocation and DNS caching logic could similarly be abused to crash the VPN service or disrupt connectivity.
The audit also uncovered missing validation checks in TCP packet parsing, which could allow malformed or malicious traffic to consume resources or trigger undefined behavior. While these issues do not directly compromise anonymity, they could degrade performance or availability if exploited.
Beyond DoS-related risks, Cure53 highlighted several security hardening gaps. These include the absence of certificate pinning for secure bridge distribution, opening the door to potential man-in-the-middle attacks in hostile networks, as well as the use of predictable randomness when selecting Tor bridges. On the mobile side, the app was found to store configuration data in plaintext and lacked root detection mechanisms, both considered common but notable security shortcomings.
One high-severity issue was identified in an Apple-specific FFI component, where unsafe memory handling could enable out-of-bounds reads. However, this component was outside the primary Android scope and does not directly impact the Android app’s current threat model.
The overall security posture was evaluated positively. Cure53 noted that Tor VPN’s modular architecture helps contain potential compromises, ensuring that weaknesses in components like DNS handling do not directly undermine tunnel integrity.
The Tor Project stated that all issues are being tracked and addressed as part of ongoing development, with the audit helping prioritize improvements in validation, resource management, and the adoption of hardened libraries.
Leave a Reply