- Security firm Cure53 conducted a penetration test on TorVPN for Android and its Onionmasq network layer in June 2025.
- The assessment found no fundamental flaws in how the application routes traffic or establishes secure tunnels to the Tor network.
- Developers are currently fixing low-level DNS and input validation errors that could potentially lead to denial-of-service in rare scenarios.
For millions of users worldwide, the Tor network is the gold standard for staying anonymous online. Now the developers behind the project are moving closer to launching a dedicated mobile application, and a new independent code audit suggests that the technical foundation is rock solid.
In recent years, the privacy organization has worked to expand its mobile offerings, including the ongoing development of TorVPN. The ultimate goal is to make Tor-based protections much more accessible to everyday smartphone users, while maintaining the strict security guarantees the network is famous for.
As part of this ongoing mission, the Tor Project recently commissioned renowned cybersecurity firm Cure53 to thoroughly test TorVPN for Android.
According to a post on the official Tor Project Forum, the penetration test took place in June 2025, evaluating both the Android application and its underlying network layer, known as Onionmasq.
Although the mobile app is not yet ready to challenge the overall best VPN providers on the market, the results are incredibly promising. Cure53 reported that the software successfully maintains its core security requirements, paving the way for a safer, more private mobile browsing experience.
Under the hood of TorVPN
Unlike traditional consumer VPN services that route your traffic through a centralized server, the TorVPN Android application routes a user’s device traffic through the decentralized Tor network. This makes it significantly more difficult for ISPs or malicious actors to trace your digital footprint.
Because this level of anonymity requires flawless execution, Cure53’s assessment looked closely at how TorVPN establishes its connections. The security firm also tested Onionmasq, a Rust-based tunneling interface that handles everything from low-level network traffic and TCP/UDP parsing to DNS resolution and routing traffic to the Tor network via the Arti implementation.
Fortunately, the big takeaways are very positive. Writing on the official forum, a representative of the Tor project confirmed: “The audit found that Tor’s core integration remains robust, with no fundamental problems in tunneling or routing.”
Erases the last errors
While the core privacy features work securely, Cure53 has flagged a handful of technical issues that need to be fixed before a wider rollout.
The majority of these vulnerabilities centered on “incomplete input validation and weaknesses in DNS handling.” According to the forum post outlining the audit findings, these specific bugs could theoretically be exploited to create “denial-of-service conditions under certain rare conditions” that would temporarily crash or disrupt the application.
Testers also suggested implementing better cryptographic hardening, specifically pointing to certificate rooting and randomness as areas for improvement. In addition, the review noted some typical mobile security features, including “plain text configuration retention and lack of root detection.”
If you’re eager to try the app to secure your smartphone, the good news is that the Tor Project team is already on the case. The organization stated that all findings are currently being tracked and actively addressed as part of its ongoing security efforts. Using this revision to prioritize resource management, tighten validation, and implement established security libraries, the final version of TorVPN for Android promises to be a powerful privacy-first tool.
