To help users protect their privacy, the Google Play store now includes a prominent badge for MASA-audited VPNs. While an independent audit doesn’t guarantee that a VPN app is secure, it proves that the app developer is following basic privacy practice and has avoided some common security pitfalls. Non-VPN apps will feature a similar auditing label in the coming months.
Technically speaking, Google Play already showed a MASA auditing badge in the “Data safety” section of VPN app listings. This new label is more useful because it’s more obvious—it’s a big green shield, sort of like the verification badges on social media. (Google Play will also display an explanation of its “Independent Security Review” badge when you search for a VPN or other related apps.)
Independent auditing badges are made in association with the App Defense Alliance (ADA), which launched its Mobile App Security Assessment (MASA) auditing program in 2022. As explained by Google, MASA auditing proves that an app developer has “designed their apps to meet these industry mobile security and privacy minimum best practices.” The program also helps to identify basic security vulnerabilities that may have gone undetected by the app developer.
All said, the MASA program isn’t incredibly rigorous. But a low bar is still better than no bar. If a VPN app developer isn’t willing to prove that they’ve met the bare minimum security practices, they may be untrustworthy. After all, VPNs can access all of your web traffic and have an extremely high potential for abuse.
Note that the Google Play Store is supposed to reject malicious or insecure app listings. The new Independent Security Review badge is a neat idea, but it highlights the failure of Google’s app review process. Android users shouldn’t need to look for badges or labels—they should be able to confidently install any app from the Play Store.
The new Independent Security Review badge is currently rolling out. It may not immediately appear in your Play Store, and some trustworthy VPN apps haven’t undergone MASA auditing just yet. In its Security Blog post, Google claims that NordVPN and ExpressVPN are the first apps to receive the independent auditing badge.