This blog post summarizes a whitebox security review conducted by 7ASecurity against the ArgoVPN platform.
What is ArgoVPN?
ArgoVPN is a free VPN with an unlimited bandwidth that is developed for Android devices. It allows users to visit blocked websites, online services, social media and messaging apps. The developers designed ArgoVPN to meet the needs of Iranian citizens, enabling them to bypass Internet censorship in Iran with premium features similar to those found in commercial VPNs.
The Audit
The ArgoVPN Team solicited a Whitebox security review of the ArgoVPN platform, and 7ASecurity executed it in March 2023. This review is the third penetration test for the project, and as a result, the team expected identifying new security weaknesses to be particularly challenging during this assignment, given that fewer vulnerabilities are typically found after multiple testing and fixing cycles.
During this iteration the goal was to review the tool as thoroughly as possible, to ensure ArgoVPN users can be provided with the best possible security and privacy.
A number of necessary arrangements were in place by February 2023, to facilitate a straightforward commencement for 7ASecurity. To enable effective collaboration, the team relayed information to coordinate the test through email, as well as a shared Signal channel. The ArgoVPN team was helpful and responsive throughout the audit, even during out of office hours and weekends, which ensured that 7ASecurity was provided with the necessary access and information at all times, thus avoiding unnecessary delays. 7ASecurity provided regular updates regarding the audit status and its interim findings during the engagement.
The security audit found 2 identified vulnerabilities and eleven hardening recommendations with lower exploitation potential.
Overall, the ArgoVPN solution defended itself well against a broad range of attack vectors. Being its third audit, the relatively few findings identified during this iteration proves the value of regular penetration testing. The platform will become increasingly difficult to attack as additional cycles of security testing and subsequent hardening continue.
From a security perspective, ArgoVPN provided a number of positive impressions during this assignment that must be mentioned here:
- First of all, the ArgoVPN team was very responsive during the test and promptly fixed the vast majority of security and privacy weaknesses identified. By the time the report was sent, most fixes and privacy improvements were already implemented.
- The mobile app and backend servers offer relatively little attack surface, which drastically reduces chances for security vulnerabilities. Similarly, no evidence could be found to suggest that either the mobile or backend components store sensitive data or PII. While ArgoVPN servers are configured to prevent port exposure, dictionary attacks and unnecessary leaks via log storage. Another positive impression in this regard is that secrets are encrypted at rest in Java properties using Jasypt.
- The code audit performed on all components provided a positive impression whereby the source code appears to be mature, previously audited, professionally written, appropriately commented and offering little opportunity to security or privacy concerns.
- The platform is based on solid foundations, for example, the infrastructure and servers are adequately configured, patched and hardened. While trust on popular cloud providers (e.g. Cloudflare) is successfully leveraged for circumvention of Internet restrictions posed by the local government.
- The mobile application was found to be safe from Denial-of-Service (DoS), redirect vulnerabilities, Deeplink attacks, as well as leaks via Android backups, log messages or screenshots. Additionally, it correctly protects DNS traffic via DNS over HTTPS (DoH) by default, except for Iranian users, where this type of traffic is blocked. All in all, ArgoVPN user traffic is sufficiently protected with two layers of encryption, as well as an adequate selection of encryption algorithms. Furthermore, once the VPN connection is established, network traffic generated by the ArgoVPN app is indistinguishable from regular HTTPS traffic.
- The ArgoVPN backend servers were found to be robust against many traditional web application security attack vectors. For example, no Command Injection, SQLi, XSS, CSRF, SSRF, or RCE issues could be identified during this assignment. Furthermore, strict output encoding is in place for every user input parameter and the implementation for banning users was found to be well implemented.
- Access Control seems to be generally well implemented, where unauthorized users are unable to query APIs. Additionally, the servers implement authentication based on credentials and whitelist IP addresses where possible.
Conclusion
7ASecurity would like to take this opportunity to sincerely thank Nariman Gharib and therest of the ArgoVPN team, for their exemplary assistance and support throughout this audit. The ArgoVPN team was helpful and responsive throughout the audit, even during out of office hours and weekends, and promptly fixed all significant issues before the engagement was over.
“Our experience with 7ASecurity during the security audit was nothing short of remarkable. Their team of seasoned professionals managed to identify vulnerabilities that had even our in-house experts astounded. Throughout the course of the audit, we eagerly anticipated their insights and findings, knowing that each one was a step towards strengthening our defenses.
The 7ASecurity team displayed extraordinary diligence and expertise, and their contributions have greatly enhanced the security of ArgoVPN. As a result of their diligent efforts, we are now more equipped than ever to serve our Iranian customers with the assurance that we are mitigating major security concerns effectively.
We express our heartfelt gratitude to 7ASecurity for their exceptional work. Their audit has significantly increased our confidence in the safety of our services, and we would highly recommend their services to any organization that values robust security.”
Nariman Gharib, ArgoVPN Team
You can find the full ArgoVPN audit report below