- Security company Cure53 conducted a penetration test on TorVPN for Android and its Onionmasq network layer in June 2025.
- The evaluation found no fundamental flaws in the way the app routes traffic or establishes secure tunnels to the Tor network.
- Developers are currently fixing low-level DNS and input validation errors that could lead to a denial of service in rare scenarios.
For millions of users around the world, the Tor network is the gold standard for staying anonymous online. Now, the developers behind the project are getting closer to releasing a dedicated mobile app, and a new independent code audit suggests the technical foundations are rock solid.
In recent years, the privacy organization has been working to expand its mobile offering, including the continued development of TorVPN. The ultimate goal is to make Tor-based protections much more accessible to everyday smartphone users, while maintaining the strict security guarantees the network is famous for.
As part of this ongoing mission, the Tor Project recently commissioned renowned cybersecurity firm Cure53 to rigorously test TorVPN for Android.
According to a post on the official Tor Project forum, penetration testing took place in June 2025, evaluating both the Android app and its underlying network layer, known as Onionmasq.
While the mobile app is not yet ready to challenge the best VPN providers on the market, the results are incredibly promising. Cure53 reported that the software successfully maintains its basic security requirements, paving the way for a more secure and private mobile browsing experience.
Under the hood of TorVPN
Unlike traditional consumer VPN services that route their traffic through a centralized server, the TorVPN Android app routes traffic from a user’s device through the decentralized Tor network. This makes it much more difficult for Internet service providers or malicious actors to track your digital footprint.
Because this level of anonymity requires flawless execution, Cure53’s evaluation took a closer look at how TorVPN establishes its connections. The security firm also tested Onionmasq, a Rust-based tunneling interface that handles everything from low-level network traffic forwarding and TCP/UDP parsing to DNS resolution and routing traffic to the Tor network via the Arti implementation.
Fortunately, the main conclusions are very positive. Writing on the official forum, a Tor Project representative confirmed: “The audit found that Tor’s core integration remains robust, with no fundamental issues in tunnel establishment or routing.”
Eliminating final errors
While the core privacy features work securely, Cure53 pointed out a number of technical issues that need to be addressed before a broader rollout.
Most of these vulnerabilities focused on “incomplete input validation and weaknesses in DNS handling.” According to the forum post describing the audit results, these specific flaws could, in theory, be exploited to create “denial of service conditions under certain rare conditions,” which would temporarily crash or disrupt the application.
Testers also suggested implementing better cryptographic hardening, specifically pointing out certificate pinning and randomness as areas for improvement. Additionally, the audit noted some quirks typical of mobile security, including “plain text configuration storage and lack of root detection.”
If you are eager to try the app to protect your smartphone, the good news is that the Tor Project team is already working on the case. The organization stated that all findings are currently being actively tracked and addressed as part of its ongoing security work. By using this audit to prioritize resource management, strengthen validation, and implement established security libraries, the final version of TorVPN for Android is shaping up to be a powerful privacy-first tool.
