Securely download Mullvad VPN with its new loader application

You can now securely download the Mullvad VPN app thanks to the newly launched Mullvad VPN loader application.

The best VPNs are known for their transparency and security, and Mullvad is championing this in its latest feature.

The loader downloads the Mullvad VPN app. It automatically checks it's the real deal, verifying the app's authenticity. This cuts out any chance of you downloading a malicious copycat app.

The loader is fast and secure, and is available for Mullvad's Windows and Mac VPN apps. It can also be re-used to update and install the latest versions of Mullvad VPN.

Automated authentication

Mullvad has always used PGP signatures to authenticate the software it releases, but previously it has been up to the user to verify it themselves.

The new loader's automation removes this hurdle. The loader has the same PGP signature as all other Mullvad releases, meaning you can also verify the loader itself. Mullvad has a guide on verifying signatures.

Before now, the Mullvad VPN desktop app was only hosted by Mullvad on servers in Sweden, with GitHub as a backup. This has now been expanded and the Mullvad VPN app can be securely downloaded from one of a global network of third-party content delivery networks (CDNs).

A CDN is a server that delivers website content to a user. In its blog post, Mullvad says downloading the Mullvad VPN app from a CDN that is closer to a user "enables faster downloads than was previously possible."

Mullvad is known for being one of the most private VPNs and we contacted the provider to ask about the privacy ramifications arising from CDN use.

Mullvad's tech lead said the loader "cryptographically verifies the integrity of the installer before launching it," meaning no malicious software can be downloaded.

According to Mullvad, "the CDN can see what IPs request the installer" and "can infer what OS that IP is running." So, unless users use a different VPN to download the installer, the CDN – a third-party – will know some personal information about users.

It can't see your VPN traffic or if you've even used the VPN. But it can see you've downloaded the installer, which is a small privacy drawback.

This was acknowledged by Mullvad, who said it was "approved by the company before the project."

However, Mullvad CEO Jan Jonsson confirmed that users can still download Mullvad VPN the old way by navigating to the "Alternative installation" section of its website.

This means you're still downloading the app direct from Mullvad's Swedish server, bypassing the CDN. Doing this means you lose the automatic verification of the new loader, but won't share your IP address with a third-party.

Users can still verify everything they're downloading thanks to Mullvad's PGP signatures.

Independently audited

Mullvad described the correctness of this app as "paramount." Due to its sensitive nature and "potential attack vectors," Mullvad had the app's protocol and source code independently audited by Assured.

Assured said it was contracted to "perform an audit of a new app functionality that allows downloading of new versions of the Mullvad VPN app installer from CDN sources in a secure manner."

The group reviewed "the installer downloader application, the script generating installer releases, and the installer metadata."

Following completion of the audit, Assured said "the new downloader installer solution seems to be well thought out and implemented."

Mullvad says the loader "will be the primary way for our users to get the Mullvad VPN app going forward," and offers installation instructions for all devices.