MASA Assessment Confirms Android App Security Improvements#
Source: https://www.mullvad.net/en/blog/2026/6/1/2026-security-assessment-of-our-android-app/
Mullvad’s Android app recently completed its second Mobile Application Security Assessment (MASA), confirming compliance with the Mobile App Profile (MAP) specification. The evaluation focused on version 2026.2 and identified minor issues that were addressed in version 2026.3-beta3, later released as 2026.3.
What Changed#
The assessment flagged six issues, most of which were operational adjustments rather than critical vulnerabilities:
- Immutable Pending Intents: Previously marked mutable, now converted to immutable to reduce potential misuse, though the risk was limited due to the app’s constrained intent usage.
- Sensitive Data Masking: Login account numbers and custom API passwords were displayed in plain text. These inputs are now hidden by default to prevent shoulder surfing.
- Data Collection Transparency: In-app purchase tracking for refunds was missing from the Google Play data collection disclosure. The listing now accurately reflects this.
- Account Deletion Mechanism: Originally unavailable to prevent misuse, an in-app deletion feature has been added to comply with MAP standards.
Why It Matters#
For users, these changes tighten operational security without altering core functionality. Masking sensitive inputs and enforcing immutable intents reduce exposure to low-probability attack vectors. Updated disclosures improve transparency and regulatory alignment. The added deletion mechanism ensures compliance while limiting potential abuse.
What to Check#
- Verify app version is 2026.3 or later to ensure all MASA findings are addressed.
- Review input fields for sensitive information masking.
- Confirm in-app deletion functionality is available if relevant to your workflow.
- Check Google Play data collection disclosures, particularly for purchase-linked data.
What Not to Overclaim#
- The issues identified were minor and not actively exploitable. There is no evidence of a user-impacting security breach.
- MASA compliance does not guarantee immunity to future vulnerabilities, only adherence to the MAP standard at the assessment time.
Practical Takeaways#
- Users can maintain operational confidence by updating to 2026.3.
- Security teams should note MASA as a validation step but continue monitoring app behavior and external dependencies.
- Transparency and compliance improvements are operational, not functional, changes that improve trust but do not alter VPN or traffic routing capabilities.
Overall, the assessment reflects disciplined operational security practices rather than reactive remediation. The app now aligns with current MAP standards and provides clear, inspectable mechanisms for sensitive data handling and account management.