Code audit for Tor VPN completed by Cure53

News
1

by micah | April 15, 2026

lead.jpg1200×675 47.2 KB

Over the past several years, the Tor Project has been working to expand its mobile privacy offerings, including the development of TorVPN and its supporting components. This work is aimed at making Tor-based protections more accessible while maintaining strong security guarantees.

As part of this effort, in June 2025, Cure53 conducted a penetration test and source code audit of TorVPN for Android.

The assessment covered both the Android application and the underlying Onionmasq networking layer responsible for DNS resolution and traffic handling.

Audit findings

The audit covered two primary areas:

  • TorVPN for Android: the mobile application responsible for routing device traffic through the Tor network

  • Onionmasq / Tunnel Interface for Arti: the Ruse-based networking tunnel layer handling low-level network traffic forwarding, including TCP/UDP parsing, DNS resolution, and routing to the Tor network through Arti.

Key findings

The audit found that Tor’s core integration remains robust, with no fundamental issues in tunnel establishment or routing. Most findings instead cluster around two areas: incomplete input validation and weaknesses in DNS handling that could enable denial-of-service conditions in certain rare conditions.

Additional issues included cryptographic hardening suggestions (such as certificate pinning and randomness), and typical mobile security concerns like plaintext configuration storage and lack of root detection.

Next steps

All findings are being tracked and addressed as part of ongoing security work. This audit helps prioritize improvements around validation, resource management, and the use of established libraries for security-critical functionality.

Read the full audit report

For detailed findings and recommendations, please see the complete audit report here

This is a companion discussion topic for the original entry at https://blog.torproject.org/code-audit-tor-vpn
1 Like
2

Cannot understand Cure53’s stand on root detection at all. An attack cannot get root easily on today’s devices automatically. If there is root, then the user has chosen it and already has full responsibility for it.

Root detection is generally seen in closed-source apps by banks and big tech. Their app is even hardened and code obfuscated. I just wonder if Cure53 also thinks closed source and that kind of ‘hardening’ would improve security.

I remind you that the most use case of the Tor executable is on Linux distros, which come with root access.

3

I know that newer Android versions brings better security and isolation between apps, but I also don’t like it when my old devices are forced to be thrown away just because apps I sometimes need to use says so.

… Or someone else rooted the phone without them knowing, which is common for victims of abusive relationships, or, though less likely, some military-grade spyware.

I don’t see anything wrong with an app that’s supposed to give user security/privacy assurance warning users about rooted devices. If the user is technologically sophisticated enough to root their phones, they can just ignore the warning message, or maybe turn the warning off (if given the option). But if the user don’t even know what does “rooting their phone” means, it should be a red flag that their devices has been compromised and should not be used to communicate secret matters (like abortion-related stuff).

I would hope, however, that the “root detection” being expanded to a more complete “abnormal execution environment detection” that also detects other features that are not commonly used but could be exploited by malicious actors and stalkerware (like enabled accessibility services and enabled device administrators), if it’s to be implemented.

And Orbot.

As long as TorVPN doesn’t prevent users from starting it when root is detected, I see no problem.

And I remind you that most Android phones don’t have root access, which makes it an anomaly.