- Security firm Cure53 performed a penetration test on TorVPN for Android and its Onionmasq networking layer in June 2025.
- The assessment found no fundamental flaws in how the application routes traffic or establishes secure tunnels to the Tor network.
- Developers are currently patching low-level DNS and input validation bugs that could potentially lead to denial-of-service in rare scenarios.
For millions of users worldwide, the Tor network is the gold standard for staying anonymous online. Now, the developers behind the project are moving closer to launching a dedicated mobile application, and a new independent code audit suggests the technical foundations are rock solid.
In recent years, the privacy organization has been working to expand its mobile offerings, including the ongoing development of TorVPN. The ultimate goal is to make Tor-based protections much more accessible to everyday smartphone users while maintaining the strict security guarantees the network is famous for.
As part of this ongoing mission, the Tor Project recently commissioned renowned cybersecurity firm Cure53 to rigorously test TorVPN for Android.
According to a post on the official Tor Project Forum, the penetration testing took place in June 2025, evaluating both the Android application and its underlying networking layer, known as Onionmasq.
While the mobile app isn't ready to challenge the overall best VPN providers on the market just yet, the results are incredibly promising. Cure53 reported that the software successfully maintains its core security requirements, paving the way for a safer, more private mobile browsing experience.
Under the hood of TorVPN
Unlike traditional consumer VPN services that route your traffic through a centralized server, the TorVPN Android application routes a user's device traffic through the decentralized Tor network. This makes it significantly harder for internet service providers or malicious actors to track your digital footprint.
Because this level of anonymity requires flawless execution, Cure53's assessment looked closely at how TorVPN establishes its connections. The security firm also tested Onionmasq, a Rust-based tunnel interface that handles everything from low-level network traffic forwarding and TCP/UDP parsing to DNS resolution and routing traffic to the Tor network via the Arti implementation.
Thankfully, the major takeaways are highly positive. Writing on the official forum, a Tor Project representative confirmed: "The audit found that Tor's core integration remains robust, with no fundamental issues in tunnel establishment or routing."
Ironing out the final bugs
While the core privacy features are functioning securely, Cure53 did flag a handful of technical concerns that need to be patched before a wider rollout.
The majority of these vulnerabilities centered on "incomplete input validation and weaknesses in DNS handling." According to the forum post outlining the audit results, these specific flaws could theoretically be exploited to create "denial-of-service conditions in certain rare conditions," which would temporarily crash or disrupt the application.
Testers also suggested implementing better cryptographic hardening, specifically pointing out certificate pinning and randomness as areas for improvement. Additionally, the audit noted some typical mobile security quirks, including "plaintext configuration storage and lack of root detection."
If you're eager to try the app to secure your smartphone, the good news is that the Tor Project team is already on the case. The organization stated that all findings are currently being tracked and actively addressed as part of its ongoing security work. By using this audit to prioritize resource management, tighten validation, and implement established security libraries, the final version of TorVPN for Android is shaping up to be a powerful, privacy-first tool.