Exclusive 3 Years VPN Deal
We use cookies to give you the best user experience. I agree Find out more

Ivacy VPN App Clears All 45 Security Test Cases for ioXT Certification


Smartphones and apps are more common now than ever before, and it would be challenging to imagine living without them. But you need to ask yourself whether your devices are safe and secure. How do you know your information is not being collected by your internet service provider and sold to third parties? How do you know which apps to trust? Fortunately, this is a lot easier now.

Ivacy VPN is proud to announce that it is one of the very few VPN providers out there to be certified by the ioXt Alliance. With this certification, users can rest easy knowing their online privacy and security is well-guarded.

A Little About the ioXt Alliance

The ioXt Alliance includes some heavy hitters like Comcast, Amazon, and Google, to name a few. The Alliance is responsible for setting privacy and security standards to be met regarding the Internet of Things. The ioXt Alliance analyzes products and certifies them for compliance.

Apart from IoT products, ioXt has expanded its horizons to cater to VPN apps as well. Ivacy VPN take pride in being one of the VPN providers with an ioXt certification for its security standards, making a precedent for others to follow.

Users looking into ioXt certified products can rest easy knowing their data is not misused without their consent.

ioXt Evaluation Methodology for Ivacy VPN

Google retained NowSecure to perform an ioXt Compliance Assessment on the Ivacy VPN Test application for the Android platform(s).

NowSecure implements a five-stage process when performing a full scope security assessment. The results of this evaluation are matched against the ioXt Mobile Test Case Library. The process begins with information collection and planning, gathering customer requirements and required test materials.

When the assessment starts, the application is used thoroughly to observe the application’s visual UI elements and triggers all potential network communications. In addition, the application is internally monitored using debugging and hooking techniques.

That information is then used to identify vulnerabilities for users of the application and the application owner. Those vulnerabilities are then investigated further to identify exploit potentials to reveal user information, location, or compromise confidentiality. Finally, that data is compiled into a final report that is delivered to the Customer.

So how did ioXt evaluate Ivacy VPN? Let’s take a quick look:

  • Preparation & Planning

Apps, test environments, credentials, etc. are acquired for assessment.

  • Reconnaissance & Discovery

Open-source research and app information is collected. Network traffic and application method calls are also monitored during this phase.

  • Analysis

Risk and vulnerabilities are identified.

  • Intrusion & Manipulation

Identified vulnerabilities and risks are exploited using various attack methods for more data.

  • Reporting

The final analysis is presented in a report. Suggestions regarding potential threats and solutions are provided.

ioXt Test Case

Below is a list of all ioXt test cases that Ivacy passed to qualify for the ioXt certification.

1.      Standard cryptography: This application passes PC1 as no weak cryptography or hardcoded keys were found.
2.      Independently reviewed protocol, implementation, or open standard
3.      Store cryptographic keys in the OS KeyStore
4.      User credentials shall not be common or predictable, or the credentials must be required to change at initial use
5.      Require authentication for remote services containing user data
6.      Enforce a strong server-side password policy
7.      Limit lifetime of authentication collateral
8.      Detect and throttle guessing attacks
9.      Availability of two-factor authentication for products that have a user-facing interface during initialization
10.   Availability of two-factor authentication for products that have a user-facing interface during management
11.   The app shall re-authenticate the user when displaying sensitive PII data or conducting sensitive transactions
12.   The manufacturer has an update patch policy
13.   Software images including plug-ins and apps are signed and verified
14.   Proven Cryptography
15.   Anti-Rollback: This application passes VS4 as we were able to successfully locate the application in the Google Play Store.
16.   Store sensitive data only within the application container or system credential storage facilities
17.   Provide a privacy policy
18.   No sensitive data is logged
19.   No sensitive data is leaked in the UI
20.   Only necessary permissions are requested
21.   Dependencies are patched from known security vulnerabilities
22.   Remote Attack: All certifiable protocols used on the interfaces contained in the product shall be Certified
23.   Remote Attack: Unused Services are disabled
24.   Remote Attack: Authentication
25.   Remote Attack: Secured Communications
26.   Proximity Attack: Unused Services are disabled
27.   Proximity Attack: Authentication
28.   Proximity Attack: Secured Communications
29.   Encrypt all network traffic, using verified TLS 1.2+ where possible
30.   Limit access to IPC and sanitize data received by exported handlers
31.   Endpoints do not expose unnecessary open services and are secured against any medium+ vulnerabilities
32.   Enforce x509 certificate pinning for primary services
33.   Software updates supported
34.   Software is Maintained and Updated
35.   Software updates are made available to impacted parties
36.   Security updates applied automatically when product usage allows
37.   VDP in place: This application passes VDP1 as this is no longer required.
38.   Accept external submissions
39.   Monitoring security-relevant components
40.   End of life notification policy is published
41.   Expiration Date is published
42.   Review that acceptable protocols are supported and that the app defaults to a secure protocol in UI
43.   Verify if network traffic is leaked outside of the VPN tunnel
44.   Verify application supports Always-On, automatic reconnect to VPN and killswitch functionality
45.   Verify if the VPN server attempts to intercept TLS connections or injects scripts into HTTP requests

About the Ivacy VPN and ioXt Alliance

Ivacy VPN takes great pride in receiving ioXt’s seal of approval and considers it an accomplishment for its dedication to empowering its users. Ivacy VPN, which is already a part of the VPN Trust Initiative, will continue its efforts to maintain transparency while giving users a private and secure digital environment to enjoy.

Embrace a New Industry Standard

Considering that the ioXt Alliance aims to create industry-wide compliance, it will not be long before users are free from VPN providers with ill intent. Alliances like the VPN Trust Initiative and the ioXt Alliance will undoubtedly keep users informed about what VPN services they should opt for and which they should stay clear of entirely.

Tags : ioXt Certification

Leave a Response

Live Chat