For the longest time users of services like SpiderOak, Signal, Protonmail etc have been talking about how if Protonmail, etc added a desktop client it would be more secure than using a browser, because a desktop client (especially if open sourced) is code that end users can compile themselves and not easily altered by protonmail on the fly if it wanted to target or was compelled to backdoor a particular individual by a government etc… Likewise, signing in using the web browser, especially without even a browser extension, is, all else being equal, comparatively much less secure…
Well, I noticed recently the NordVPN app (from the apk directly on Nord’s website itself) made an new update where if you sign in, it won’t sign you in directly from the app anymore, it redirects you to their website /webpage in a browser to sign in and then once you’ve entered in the correct password and username it sends you back to the app… this is a bit concerning because now they can much more easily, more arbitrarily, etc target or compromise/backdoor selective particular individuals perhaps at the request of governments whereas before they either had to backdoor the app itself (which means it ran the higher risk of getting caught and likely the wouldn’t be able to open source it for audit or provide deterministic builds etc ) now their app abruptly stopped working unless you update to the newest version and the newest update forces you to re-login again, and during this re-login process instead of authenticating within the app it redirects you to the outside/external browser to visit their website to log in instead!
This, coupled with the fact, that they also recently made important updates to their terms of use that includes the new added language that states, in relevant part(s) that : Information collected on our website – Access logs. As most websites on the internet, our website collects access logs (such as IP address, browser type, operating system) to operate our services and ensure their secure, reliable, and robust performance. This information is also essential for fighting against DDoS attacks, scanning and similar hacking attempts.
So a supposedly “NoLog” VPN that requires logins to the VPN service itself be redirected to their website that now has a new policy of logging website access that includes not only the IP address but also the operating system, browser type and other information… seems like a loophole to me!