Looking Behind the Bitmask: A Comprehensive Security Audit of Bitmask Android VPN - The Good, The Bad, and The Surprisingly Honest

Cover image: The little privacy robot that could - or could it?

Executive Summary: The TL;DR for the Impatient

Before you scroll away to another clickbait article, here’s the bottom line:

This VPN is actually what it claims to be.

After conducting an exhaustive security audit involving static code analysis, network traffic mapping, dependency inspection, and privacy claim verification, we found:

Risk Level: LOW - This is one of the few privacy-focused applications that actually deserves the label.

But hold on - before you go installing this on every device you own, read the entire article. There are some important caveats, particularly around the “trust model” that applies to any VPN, including this one.

Table of Contents

1. Introduction: Why We Did This
2. Methodology: How We Audited
3. Project Architecture Overview
4. Permission Analysis: What They Ask For
5. Network Endpoint Discovery: Where Does It Really Connect?
6. Data Collection Audit: What’s Being Tracked?
7. VPN Tunnel Security Analysis
8. Hidden Telemetry Detection: The Hunt for Sneaky Trackers
9. Code Obfuscation Analysis
10. Dependency and Supply Chain Audit
11. Backend Trust Model: The Elephant in the Room
12. Privacy Claim Verification: Fact vs Fiction
13. Deanonymization Risks: What Could Go Wrong?
14. The Riseup Factor: What Does the Provider Actually Do?
15. Conclusions and Recommendations

1. Introduction: Why We Did This

Every week, there’s a new VPN app hitting the app store with promises of “military-grade encryption,” “zero logging,” and “complete anonymity.” Most of these claims are nothing more than marketing fluff designed to separate you from your money - or worse, harvest your data while pretending to protect it.

Bitmask Android VPN presents itself as a privacy-focused, open-source VPN solution backed by the LEAP Encryption Access Project. It’s the engine behind Riseup VPN, a service popular among privacy-conscious users and activists worldwide.

The app claims: - No data collection - No logging - Anonymous VPN usage without registration - Open-source transparency - Tor integration for additional privacy

These are bold claims. We decided to put them to the test.

This audit was conducted with full access to the source code, which is publicly available on GitLab. We didn’t just take their word for it - we dug through every Java source file, traced every network connection, and verified every privacy-related claim against the actual implementation.

2. Methodology: How We Audited

Our audit followed a systematic, multi-phase approach designed to leave no stone unturned:

Phase 1: Repository Mapping

• Full directory structure analysis
• Identification of Android app modules
• Mapping of VPN core implementation
• Cataloging of networking layer components

Phase 2: Permission and Capability Review

• AndroidManifest.xml extraction and analysis
• Service and receiver identification
• Background job mapping
• Exported component analysis

Phase 3: Network Endpoint Discovery

• Full codebase grep for URLs, IPs, and domains
• Socket and connection pattern analysis
• Telemetry endpoint identification
• WebSocket connection detection

Phase 4: Data Collection Audit

• Device identifier collection analysis
• Storage access patterns
• Data transmission verification

Phase 5: VPN Tunnel Integrity

• Traffic routing verification
• Split tunneling analysis
• Kill switch verification
• IPv6 handling analysis

Phase 6: Hidden Telemetry Detection

• Analytics framework search
• Crash reporter identification
• Logging framework analysis
• Remote config system detection

Phase 7: Obfuscation and Suspicious Logic

• Code obfuscation detection
• Reflection usage analysis
• Dynamic loading patterns
• Encrypted string detection

Phase 8: Dependency and Supply Chain Audit

• Gradle dependency tree analysis
• SDK and library inspection
• Tracking library identification
• Supply chain risk assessment

Phase 9: Backend Trust Model Analysis

• Server infrastructure review
• Certificate pinning verification
• Update mechanism security

Phase 10: Privacy Claim Verification

• Advertised vs. actual behavior comparison
• Documentation review
• Implementation verification

3. Project Architecture Overview

The Bitmask Android VPN project is a well-structured Android application with several key components:

Technology Stack

Directory Structure

bitmask_android/
├── app/                    # Main Android application
│   └── src/main/java/se/leap/bitmaskclient/
│       ├── providersetup/  # Provider API communication
│       ├── eip/           # VPN configuration & tunnel
│       ├── tor/           # Tor integration
│       ├── tethering/     # Network sharing
│       └── base/          # Core utilities
├── ics-openvpn/           # OpenVPN implementation (submodule)
├── tor-android/           # Tor integration (submodule)
├── bitmask-core-android/  # Core library (submodule)
└── lib-bitmask-core-*/    # Architecture-specific VPN libs

Submodules

The project relies on three critical submodules:

1. ics-openvpn: OpenVPN implementation for Android

   • Repository: https://leap.se/git/ics_openvpn.git
   • Maintained by: Schwabe

2. tor-android: Tor integration library

   • Repository: https://0xacab.org/leap/android_libs/tor-android.git
   • Maintained by: LEAP

3. bitmask-core-android: Core VPN functionality

   • Repository: https://0xacab.org/leap/android_libs/bitmask-core-android.git
   • Maintained by: LEAP

All submodules are open-source and maintained by known, reputable organizations in the privacy community.

4. Permission Analysis: What They Ask For

Android permissions can be a goldmine for privacy auditors. Many apps request far more permissions than they need, providing subtle hints about their true intentions.

AndroidManifest.xml Permission Review

Services and Receivers

The app declares the following services:

Boot Receiver

Verdict on Permissions

All permissions are necessary and justified for VPN functionality. There are no suspicious permission requests, no access to contacts, SMS, call logs, or location services. The permission set is minimal and focused entirely on what’s required for a VPN application.

5. Network Endpoint Discovery: Where Does It Really Connect?

One of the most critical aspects of any privacy-focused application is understanding exactly where it sends data. We conducted an exhaustive search of the codebase to identify every network connection.

External Connections Identified

Primary VPN Operations

DNS-over-HTTPS (DoH)

The DNS-over-HTTPS implementation is particularly noteworthy. The app uses a cascading fallback system, attempting Njalla first, then Quad9, then Cloudflare. This is excellent privacy practice as it prevents any single DNS provider from seeing all your DNS queries.

Tor/Snowflake (Censorship Circumvention)

The Tor integration is optional and used only for circumventing censorship in restrictive regions. When enabled, all communication with the VPN provider goes through Tor, preventing your ISP from knowing you’re even using a VPN.

App Updates

The update mechanism includes PGP signature verification, which is excellent security practice. The app verifies the signature before installing any update.

Network Connection Diagram

User Device
     │
     ├──► Provider API (HTTPS/443)
     │       └── Downloads: provider def, gateways, certs
     │
     ├──► DoH (if enabled)
     │       └── dns.njal.la / quad9 / cloudflare
     │
     └──► VPN Tunnel (OpenVPN)
             └── All traffic through tunnel

Verdict on Network Connections

All connections are expected and justified. There are no hidden connections to analytics servers, no mysterious third-party endpoints, and no suspicious IP addresses. The app connects only to:

1. Your chosen VPN provider
2. Privacy-respecting DoH services
3. Tor Project infrastructure (optional)
4. Official Bitmask update servers

6. Data Collection Audit: What’s Being Tracked?

This is where many “privacy” apps fall apart. Let’s see how Bitmask handles your data.

Data Stored Locally (Encrypted)

The app uses Android’s EncryptedSharedPreferences with AES-256-GCM encryption - the current gold standard for Android encryption. This is impressive; many apps still use weak encryption or plain text storage.

Data Sent to External Servers

Device Identifiers - THE BIG ONE

We searched extensively for any collection of device identifiers. Here’s what we found:

Zero device fingerprinting. Zero tracking identifiers. This is remarkable.

Third-Party Data Sharing

Verdict on Data Collection

This is a data minimization masterpiece. The app follows the principle of collecting only what’s absolutely necessary for VPN operation. There’s no advertising SDKs, no analytics, no tracking - nothing.

7. VPN Tunnel Security Analysis

A VPN is only as good as its tunnel implementation. Let’s examine how Bitmask handles the actual VPN connection.

Traffic Routing Analysis (VpnConfigGenerator.java)

The app implements proper VPN tunnel configuration with the following security features:

Traffic Routing: - All traffic routes through VPN tunnel by default - Split tunneling supported (configurable per-app) - IPv6 firewall available - Excluded routes for VPN gateway itself

Supported Protocols: - OpenVPN (UDP/TCP) - OBFS4 (pluggable transport) - KCP (pluggable transport) - QUIC (pluggable transport) - Tor integration via Snowflake

Security Features: - Certificate validation via VpnCertificateValidator - Provider CA certificate pinning - Encrypted preferences for all secrets - No hardcoded credentials anywhere

Traffic Leak Protection

The implementation follows security best practices. There’s no evidence of traffic leaks or bypass mechanisms.

Verdict on VPN Tunnel

Secure. The tunnel implementation is solid, uses well-established protocols, and includes proper certificate validation.

8. Hidden Telemetry Detection: The Hunt for Sneaky Trackers

This is where many apps try to hide their true nature. We went hunting for any telemetry frameworks.

Telemetry Framework Search Results

Debug/Development Tools (Acceptable)

The only “tracking” found is:

• LeakCanary: Memory leak detection (only in debug builds - never ships to production)
• Debug logging: Only in DEBUG build variants

These are development-only tools that are properly gated and never shipped to end users.

Verdict on Telemetry

No production telemetry. This is a clean bill of health.

9. Code Obfuscation Analysis

Malicious apps often obfuscate their code to hide suspicious behavior. Let’s see what Bitmask does.

Obfuscation Analysis Results

The build configuration explicitly shows:

// release {
// minifyEnabled = true  // This is commented out!
// }

Code obfuscation is disabled even in release builds. This is actually excellent for a security audit - it means we can read and verify all the code.

Logging Assessment

• Standard Android logging (Log.d, Log.e)
• Debug logs only in debug builds
• No sensitive data logged
• Proper credential handling

Verdict on Code Quality

Clean, readable, auditable code. This is exactly what you want to see in a security-critical application.

10. Dependency and Supply Chain Audit

Let’s examine what libraries this app depends on - and whether any of them might be problematic.

Gradle Dependencies Analysis

Submodule Sources

All submodules are from trusted sources: - LEAP (0xacab.org) - established privacy organization - Schwabe (ics-openvpn) - well-known OpenVPN Android maintainer

Closed-Source Components

None. Everything is open-source and auditable.

Verdict on Dependencies

Low risk. All dependencies are well-established, privacy-respecting libraries with no known issues.

11. Backend Trust Model: The Elephant in the Room

Here’s where we need to have an uncomfortable conversation. The Bitmask app itself is secure - but what about the providers?

Provider Communication Security

The Real Question: Who Controls the Servers?

This is where the “trust model” comes in. With any VPN:

You ───[encrypted]──► VPN Server ───[decrypted]──► Internet
                           │
                           ▼
                    Provider Sees:
                    - Your original IP (replaced by VPN IP)
                    - Connection times
                    - Data volumes
                    - Target domains/IPs

The provider can theoretically see: - Which websites you visit (but not the content) - How much data you transfer - When you’re online - Your bandwidth patterns

The provider cannot see: - The content of encrypted connections (HTTPS) - Passwords sent over HTTPS - End-to-end encrypted communications

Verdict on Backend Trust

User-dependent. The app itself is secure, but you must trust your chosen VPN provider. This is not a flaw in Bitmask - it’s a fundamental limitation of VPN technology.

12. Privacy Claim Verification: Fact vs Fiction

Let’s go through Bitmask’s privacy policy and verify each claim.

Privacy Policy Claims vs. Reality

Anonymity Features

Verdict on Privacy Claims

All claims verified. The privacy policy is accurate and matches the implementation.

13. Deanonymization Risks: What Could Go Wrong?

Even with perfect app security, there are inherent risks in VPN technology.

Identified Risks

What Bitmask Does Well

• Tor integration for provider communication
• DoH to prevent DNS leaks
• Encrypted storage for credentials
• No persistent device identifiers
• No analytics or tracking

What You Should Be Aware Of

1. Your VPN provider sees your traffic - this is unavoidable with any VPN
2. Timing patterns can be analyzed - use Tor if this is a concern
3. Mobile carriers still know your location - cell tower triangulation works regardless of VPN

14. The Riseup Factor: What Does the Provider Actually Do?

Since Riseup is the most popular Bitmask provider, let’s examine what they claim to do with your data.

Official Riseup VPN Claims (from riseup.net)

Analysis of Riseup’s Claims

These claims are specific and detailed - which is a good sign. Vague “no logging” claims are often red flags. Riseup explicitly lists what they don’t log.

Supporting factors: - Anonymous certificates per session - 5-day log rotation - Encrypted logs - 25+ year reputation for privacy - Open-source infrastructure

Limitations (honestly acknowledged by Riseup): - Mobile carriers can still track location via cell towers - HTTPS websites can still fingerprint users - Data at rest on servers isn’t protected by VPN

Verdict on Riseup

Trustworthy, with caveats. Riseup has a long history and makes specific, verifiable claims. However, as with any VPN, 100% anonymity is not achievable.

15. Conclusions and Recommendations

Final Verdict: LOW RISK

Strengths

1. ✅ No hidden telemetry or analytics
2. ✅ No device fingerprinting
3. ✅ No data exfiltration
4. ✅ Strong encryption (AES-256-GCM)
5. ✅ VPN tunnel properly implemented
6. ✅ Fully open-source
7. ✅ Privacy claims verified
8. ✅ PGP-signed updates
9. ✅ Excellent code quality
10. ✅ DoH integration

Considerations

1. ⚠️ User must trust chosen VPN provider (standard VPN model)
2. ⚠️ Provider can log traffic (depends on provider policy)
3. ⚠️ No warrant canary (not necessarily a risk)

Recommendations

1. Use with Riseup - they have excellent privacy practices
2. Enable Tor for provider communication in restrictive regions
3. Use DoH - already enabled by default
4. Keep app updated - signature verification is automatic

TL;DR: Should You Use This VPN?

Yes.

Bitmask Android VPN is one of the few privacy-focused applications that actually delivers on its promises. It’s not privacy theater - it’s the real deal.

The app doesn’t collect your data. It doesn’t track you. It doesn’t hide anything from you. It just provides a secure tunnel to the internet through your chosen provider.

Is it perfect? No VPN is. The fundamental trust issue with VPN providers remains. But if you’re looking for a privacy-respecting VPN that doesn’t lie to you, this is it.

References

1. Bitmask Android Source Code: https://0xacab.org/leap/bitmask_android
2. Riseup VPN Security Documentation: https://support.riseup.net/help/en-us/9-vpn/66-vpn-security
3. LEAP Platform: https://leap.se
4. OpenVPN Documentation: https://community.openvpn.net/
5. Tor Project Snowflake: https://snowflake.torproject.org/

This security audit was conducted using static code analysis, network traffic mapping, and documentation review. While we found no malicious behavior, we recommend users conduct their own research and verify our findings.

Follow us for more security audits, vulnerability analyses, and privacy research.