How ExpressVPN ensures no one can slip malware into your apps

It takes many people, working across many systems, to produce and maintain an ExpressVPN app. To do it safely, we have to make sure everyone involved is properly vetted, set up, and trained. But that’s not enough.

We also have to be sure that no one from outside our company has the chance to interfere with the process. That’s why we’ve implemented a rigorous build verification procedure, which ensures that no third parties are able to make unauthorized modifications to our software, including the injection of malware.

Just as water supplies are protected so you can trust what comes out of your tap, our software is guarded from contamination of malicious code from creation to delivery to you. And now we’ve had those safeguards independently reviewed.

Minimizing the risk of contamination

In recent years, we’ve seen several instances of major technology companies, including PC makers, releasing software and hardware to customers that had been infected with malicious code at some point during development or distribution.

With that in mind, we’ve developed a verification system that sharply reduces the risk that a compromised individual or machine could result in our inadvertently distributing malware to our customers.

That means you can use ExpressVPN apps confident that they don’t contain any unauthorized or malicious code.

A few of the policies and procedures we’ve implemented:

• The use of PGP encryption keys issued by ExpressVPN for all source code changes
• The requirement that all code changes be approved by an authorized person different from the individual who made the change
• Automated audits of changes, with alerts for unexpected changes, which are followed up in person
• The use of only the automated build environments CircleCI and Azure DevOps for the production of binaries distributed to customers

Our verification processes have been subject to an assurance engagement by PwC Switzerland

But how do you know our claims about our policies are accurate? That’s where the independent auditing firm PwC Switzerland comes in.

To validate these safeguards, PwC Switzerland conducted an independent assurance engagement that examined the policies and controls we have in place to distribute apps that are free of unauthorized modifications. The practitioners performed their assurance work by accessing our source code, servers, documentation, and people during one point in time in May 2020.

The independent assurance report is available to customers. In line with PwC Switzerland’s standards for such reports, those seeking to view the report must acknowledge the firm’s terms and conditions before accessing it. Customers can do so by logging in via this link.

PwC Switzerland does not allow excerpts to be shared, in order to ensure none of the assurance results are taken out of context and misunderstood, so we won’t provide specifics about the results in this blog post. But we can say that we were pleased with the process and encourage customers to read the full report.

Taking the worry out of your security

At ExpressVPN, we’re always looking for potential threats to your privacy and security and finding solutions to reduce the risks.

Audits by trusted third parties, including our recent security assessment by Cure53 and last year’s PwC Switzerland audit of our privacy policy compliance and our in-house technology TrustedServer, provide independent reviews of the privacy and security commitments we make to customers.

These assurance engagements and security assessments complement our other trust and transparency efforts, including providing open-source leak testing tools, publicly detailing our security practices, and launching the VPN Trust Initiative, which aims to promote public awareness about internet safety.

At ExpressVPN, we strive to push the industry forward through both technology and transparency. We look forward to publishing more audits, tools, and insights that enable you to hold us to that commitment.