Mullvad VPN can't always match the level of providers in our best VPN list, but it's a security and privacy powerhouse – and this title has been strongly reinforced with two new updates.
The Sweden-based provider has undergone a successful security assessment of its Android VPN app. This is joined by version two of its Defense Against AI-guided Traffic Analysis (DAITA).
Despite being fairly feature-lite, Mullvad excels where it really matters – privacy and security – and these updates further cement this position.
A secure Android VPN app
Mullvad's Android app (version 2024.9) has undergone a standardized security assessment, conducted by NCC Group, and passed with flying colors.
The assessment is called the Mobile Application Security Assessment (MASA) and is part of App Defense Alliance – originally launched by Google but now part of the Linux Foundation.
Mullvad is a VPN veteran and one of the most private VPNs. It's secure, uses strong encryption, and previously commissioned app audits in 2018, 2020, 2022, and 2024 – our Mullvad VPN review details these credentials further.
However, this MASA assessment differs from Mullvad's previous audits. The older audits defined a threat model and instructed an independent firm to look at its code, binaries, and apps running on various devices.
MASA is a standardized black-box assessment against a set of industry recognized security and testing criteria, meaning no code was reviewed this time round.
There are two assessment levels to MASA, Assessment Level 1 (AL1) and Assessment Level 2 (AL2). Both require an authorized independent test lab, but AL2 is more in-depth and includes a manual assessment in comparison to AL1.
The testing criteria is based on the work of the Open Worldwide Application Security Project (OWASP), who continuously develop and publish two standards: the Mobile Application Security Verification Standard (MASVS) and the Mobile Application Security Testing Guide (MASTG).
Mullvad's Android app passed all controls, with no fixes or modifications needed and the results can be seen in the App Defense Alliance Directory entry.
Following the assessment, the app has been marked with a "verified" badge (also shown as "Independently verified" and "Independent security review") in the Google Play Store.
Defense against AI-powered attacks
The second update sees the release of version two of Mullvad's Defense Against AI-guided Traffic Analysis (DAITA) software.
AI-guided traffic analysis can analyze your data packets, looking to discover and connect patterns in your web traffic. Despite your data being encrypted, these patterns can help identify the sites you visit or who you communicate with.
DAITA uses two types of cover traffic to combat this. Constant packet sizes is the first, with all data packets are made the same size to erase patterns AI can identify. Without this data packet size can vary, making patterns easier to spot.
The second is the addition of dummy packets to add further distortion to network patterns, and this defense has been more finely tuned in DAITA v2. By more carefully inserting these dummy packets, half the amount is needed and speed is improved.
With DAITA v1, all VPN connections used the same set of rules governing the insertion of dummy packets. This made it easier for attackers with sufficient resources to create tailored attacks that could bypass DAITA.
When DAITA v2 is activated, Mullvad's servers randomly select and assign a dynamic configuration to the VPN connection, affecting how dummy packets are inserted.
VPN tunnels transporting the same data will now display unpredictable characteristics and when a device recreates its VPN connection, a new configuration is selected.
Mullvad has said DAITA v3 is already on its roadmap, with a new type of defence being created.
A step in the right direction
These updates are very welcomed and join other recent positive changes to Mullvad. In February, it joined the best Windows VPNs in launching its app for Windows-Arm devices utilising the Snapdragon X Elite processor.
It has also recently partnered with the newly-created Obscura VPN to offer a unique double hop service. Most double hop VPN features are operated by the same provider. But in the case of Obscura VPN, it operates the first server, whilst Mullvad operates the second. This provides an additional layer of security and privacy and means no one provider can see your entire traffic journey or identifiable information.
Mullvad is also inviting users to test the Alpha version of its upcoming Mullvad Browser.
Improvements and updates such as these will go a long way in helping Mullvad challenge the current VPN giants.
Disclaimer
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
