- Security company Cure53 conducted a penetration test on TorVPN for Android and its Onionmasq network layer in June 2025.
- The assessment did not reveal any fundamental flaws in the way the application routes traffic or establishes secure tunnels to the Tor network.
- Developers are currently fixing low-level DNS and input validation bugs that could potentially lead to a denial of service in rare scenarios.
For millions of users around the world, the Tor network is the gold standard for maintaining anonymity online. Now the developers behind the project are getting closer to launching a dedicated mobile app, and a new independent code audit suggests the technical foundations are rock solid.
In recent years, the privacy organization has worked to expand its mobile offerings, including the continued development of TorVPN. The ultimate goal is to make Tor-based protections much more accessible to everyday smartphone users while retaining the tight security guarantees the network is known for.
As part of this ongoing mission, the Tor Project recently commissioned popular cybersecurity company Cure53 to rigorously test TorVPN for Android.
According to a post on the official Tor Project forum, penetration testing took place in June 2025, evaluating both the Android app and its underlying network layer, known as Onionmasq.
Although the mobile app is not yet ready to challenge the best VPN providers on the market, the results are incredibly promising. Cure53 reported that the software successfully meets its key security requirements, paving the way for a safer and more private mobile browsing experience.
Under the hood of TorVPN
Unlike traditional consumer VPN services that route your traffic through a centralized server, the TorVPN Android app routes traffic from a user’s devices through the decentralized Tor network. This makes it much more difficult for Internet service providers or bad actors to track your digital footprint.
Because this level of anonymity requires flawless execution, Cure53’s review took a close look at how TorVPN establishes its connections. The security company also tested Onionmasq, a Rust-based tunnel interface that handles everything from low-level network traffic forwarding and TCP/UDP parsing to DNS resolution and routing traffic to the Tor network via the Arti implementation.
Fortunately, the main lessons are very positive. Writing on the official forum, a Tor Project representative confirmed: “The audit found that Tor’s core integration remains robust, with no fundamental issues in tunnel establishment or routing. »
Fix the latest bugs
While key privacy features work securely, Cure53 has reported a handful of technical issues that need to be fixed before wider deployment.
The majority of these vulnerabilities centered around “incomplete input validation and weaknesses in DNS management.” According to the forum post describing the audit results, these specific flaws could theoretically be exploited to create “denial of service conditions under certain rare conditions,” which would temporarily crash or disrupt the application.
Testers also suggested implementing better cryptographic hardening, specifically highlighting certificate pinning and randomness as areas for improvement. Additionally, the audit highlighted some typical mobile security quirks, including “configuration storage in clear text and lack of root detection.”
If you can’t wait to try the app to secure your smartphone, the good news is that the Tor Project team is already on it. The organization said all findings are currently being tracked and actively addressed as part of its ongoing security work. Using this audit to prioritize resource management, strengthen validation, and implement established security libraries, the final version of TorVPN for Android promises to be a powerful privacy-focused tool.
