Surfshark VPN said Tuesday it will soon release updates to its popular virtual private network app, after it was among the six popular VPNs dinged by AppEsteem researchers for unsound security design in an April report. Researchers revealed that the Surfshark app obtains an alarming amount of influence over a user’s device security by installing a risky piece of tech known as a Trusted Root Certificate Authority (CA) security certification. Surfshark said it will continue installing the certificates but has fixed other problems noted by AppEsteem.
As reported by TechRadar, if a company’s own Trusted Root CA certificate were compromised, it could undermine all of a device’s data and communication security. AppEsteem found that Surfshark’s app installs the security certificate even when a user cancels the app’s overall installation. Surfshark previously said the certificates are necessary only for the use of its IKEv2 encryption protocol option, but the company told CNET Tuesday that it plans to remove the protocol option.
“When using the Surfshark root certificate, customers put their trust only in a VPN provider and not a third-party agency that can be compromised,” the company said in and email. “We’ve been working on turning off the no longer popular IKEv2 protocol and focusing all our efforts on supporting Wireguard and OpenVPN protocols. This will eliminate the need to install the certificate.”
AppEsteem also found a number of other security and privacy concerns with the Surfshark app. Researchers found the app continued running processes in the background even after the VPN was disconnected and the app itself closed. Surfshark also left components installed on a user’s device even after the app was uninstalled. Researchers also dinged Surfshark for not providing customers enough information on how to cancel annual subscriptions, nor how customers would be notified about subscription renewal.
“As for AppEsteem’s evaluation, we’ve closely cooperated with the company in quickly fixing the highlighted issues. All of them have already been fixed, and all Windows users should soon receive an updated version of the app,” Surfshark said.