At Psiphon, we’re committed to open source development. We talked about this in a previous blog post, and you can access our source code here.

We were recently offered the chance to take this openness a step further with a formal security audit of our Windows and Android products, to be carried out by iSEC Partners. As part of our effort to be transparent in the way we operate, we are pleased to publish this report in full, which you can access here.

Overall, we are very happy with the results of the security audit, and for it to be recognized that we are "actively invested in ensuring the security of [our] users". We have already addressed the one High Severity item uncovered by iSEC Partners, and will continue to address the other recommendations over time.

The main findings of the report are:

  • Psiphon follows most industry best-practices and takes measures to mitigate against attacks where it cannot.
  • Most findings were suggestions to further improve the system, particularly in relation to the growth in the number of people using the software.
  • No inherent architecture flaws were discovered.
  • One High Severity issue was found, related to automated server patching. We have now deployed automated server patching using Ansible.
  • Longer-term recommendations are being considered, and where appropriate built in to our development plans.

One particular finding of interest is the recognition by iSEC Partners that there is a potential for security issues related to the browser that we use for browser-only mode. We wrote about that recently when a new security flaw in the browser was discovered, and have already taken steps to mitigate against it.

We were very pleased to be given the opportunity to engage with this security review. We hope that you will find this report interesting, and that it will reassure you of our commitment to providing first-class software that will always be open source and secure.

Edited 2021-05-19 to update defunct Bitbucket links.