Code audit for Tor VPN completed by Cure53

Over the past several years, the Tor Project has been working to expand its mobile privacy offerings, including the development of TorVPN and its supporting components. This work is aimed at making Tor-based protections more accessible while maintaining strong security guarantees.

As part of this effort, in June 2025, Cure53 conducted a penetration test and source code audit of TorVPN for Android.

The assessment covered both the Android application and the underlying Onionmasq networking layer responsible for DNS resolution and traffic handling.

Audit findings

The audit covered two primary areas:

• TorVPN for Android: the mobile application responsible for routing device traffic through the Tor network

• Onionmasq / Tunnel Interface for Arti: the Ruse-based networking tunnel layer handling low-level network traffic forwarding, including TCP/UDP parsing, DNS resolution, and routing to the Tor network through Arti.

Key findings

The audit found that Tor’s core integration remains robust, with no fundamental issues in tunnel establishment or routing. Most findings instead cluster around two areas: incomplete input validation and weaknesses in DNS handling that could enable denial-of-service conditions in certain rare conditions.

Additional issues included cryptographic hardening suggestions (such as certificate pinning and randomness), and typical mobile security concerns like plaintext configuration storage and lack of root detection.

Next steps

All findings are being tracked and addressed as part of ongoing security work. This audit helps prioritize improvements around validation, resource management, and the use of established libraries for security-critical functionality.

Read the full audit report

For detailed findings and recommendations, please see the complete audit report here