Ivacy VPN App Clears All 45 Security Test Cases for ioXT Certification
Smartphones and apps are more common now than ever before, and it would be challenging to imagine living without them. But you need to ask yourself whether your devices are safe and secure. How do you know your information is not being collected by your internet service provider and sold to third parties? How do you know which apps to trust? Fortunately, this is a lot easier now.
Ivacy VPN is proud to announce that it is one of the very few VPN providers out there to be certified by the ioXt Alliance. With this certification, users can rest easy knowing their online privacy and security is well-guarded.
A Little About the ioXt Alliance
The ioXt Alliance includes some heavy hitters like Comcast, Amazon, and Google, to name a few. The Alliance is responsible for setting privacy and security standards to be met regarding the Internet of Things. The ioXt Alliance analyzes products and certifies them for compliance.
Apart from IoT products, ioXt has expanded its horizons to cater to VPN apps as well. Ivacy VPN take pride in being one of the VPN providers with an ioXt certification for its security standards, making a precedent for others to follow.
Users looking into ioXt certified products can rest easy knowing their data is not misused without their consent.
ioXt Evaluation Methodology for Ivacy VPN
Google retained NowSecure to perform an ioXt Compliance Assessment on the Ivacy VPN Test application for the Android platform(s).
NowSecure implements a five-stage process when performing a full scope security assessment. The results of this evaluation are matched against the ioXt Mobile Test Case Library. The process begins with information collection and planning, gathering customer requirements and required test materials.
When the assessment starts, the application is used thoroughly to observe the application’s visual UI elements and triggers all potential network communications. In addition, the application is internally monitored using debugging and hooking techniques.
That information is then used to identify vulnerabilities for users of the application and the application owner. Those vulnerabilities are then investigated further to identify exploit potentials to reveal user information, location, or compromise confidentiality. Finally, that data is compiled into a final report that is delivered to the Customer.
So how did ioXt evaluate Ivacy VPN? Let’s take a quick look:
- Preparation & Planning
Apps, test environments, credentials, etc. are acquired for assessment.
- Reconnaissance & Discovery
Open-source research and app information is collected. Network traffic and application method calls are also monitored during this phase.
- Analysis
Risk and vulnerabilities are identified.
- Intrusion & Manipulation
Identified vulnerabilities and risks are exploited using various attack methods for more data.
- Reporting
The final analysis is presented in a report. Suggestions regarding potential threats and solutions are provided.
ioXt Test Case
Below is a list of all ioXt test cases that Ivacy passed to qualify for the ioXt certification.
| 1. Standard cryptography: This application passes PC1 as no weak cryptography or hardcoded keys were found. |
| 2. Independently reviewed protocol, implementation, or open standard |
| 3. Store cryptographic keys in the OS KeyStore |
| 4. User credentials shall not be common or predictable, or the credentials must be required to change at initial use |
| 5. Require authentication for remote services containing user data |
| 6. Enforce a strong server-side password policy |
| 7. Limit lifetime of authentication collateral |
| 8. Detect and throttle guessing attacks |
| 9. Availability of two-factor authentication for products that have a user-facing interface during initialization |
| 10. Availability of two-factor authentication for products that have a user-facing interface during management |
| 11. The app shall re-authenticate the user when displaying sensitive PII data or conducting sensitive transactions |
| 12. The manufacturer has an update patch policy |
| 13. Software images including plug-ins and apps are signed and verified |
| 14. Proven Cryptography |
| 15. Anti-Rollback: This application passes VS4 as we were able to successfully locate the application in the Google Play Store. |
| 16. Store sensitive data only within the application container or system credential storage facilities |
| 17. Provide a privacy policy |
| 18. No sensitive data is logged |
| 19. No sensitive data is leaked in the UI |
| 20. Only necessary permissions are requested |
| 21. Dependencies are patched from known security vulnerabilities |
| 22. Remote Attack: All certifiable protocols used on the interfaces contained in the product shall be Certified |
| 23. Remote Attack: Unused Services are disabled |
| 24. Remote Attack: Authentication |
| 25. Remote Attack: Secured Communications |
| 26. Proximity Attack: Unused Services are disabled |
| 27. Proximity Attack: Authentication |
| 28. Proximity Attack: Secured Communications |
| 29. Encrypt all network traffic, using verified TLS 1.2+ where possible |
| 30. Limit access to IPC and sanitize data received by exported handlers |
| 31. Endpoints do not expose unnecessary open services and are secured against any medium+ vulnerabilities |
| 32. Enforce x509 certificate pinning for primary services |
| 33. Software updates supported |
| 34. Software is Maintained and Updated |
| 35. Software updates are made available to impacted parties |
| 36. Security updates applied automatically when product usage allows |
| 37. VDP in place: This application passes VDP1 as this is no longer required. |
| 38. Accept external submissions |
| 39. Monitoring security-relevant components |
| 40. End of life notification policy is published |
| 41. Expiration Date is published |
| 42. Review that acceptable protocols are supported and that the app defaults to a secure protocol in UI |
| 43. Verify if network traffic is leaked outside of the VPN tunnel |
| 44. Verify application supports Always-On, automatic reconnect to VPN and killswitch functionality |
| 45. Verify if the VPN server attempts to intercept TLS connections or injects scripts into HTTP requests |
About the Ivacy VPN and ioXt Alliance
Ivacy VPN takes great pride in receiving ioXt’s seal of approval and considers it an accomplishment for its dedication to empowering its users. Ivacy VPN, which is already a part of the VPN Trust Initiative, will continue its efforts to maintain transparency while giving users a private and secure digital environment to enjoy.
Embrace a New Industry Standard
Considering that the ioXt Alliance aims to create industry-wide compliance, it will not be long before users are free from VPN providers with ill intent. Alliances like the VPN Trust Initiative and the ioXt Alliance will undoubtedly keep users informed about what VPN services they should opt for and which they should stay clear of entirely.
