VPNs for iOS Are Broken and Apple Knows It, Says Security Researcher

Third-party VPNs made for iPhones and iPads routinely fail to route all network traffic through a secure tunnel after they have been turned on, something Apple has known about for years, a longtime security researcher has claimed (via ArsTechnica).

settings
Writing on a continually updated blog post, Michael Horowitz says that after testing multiple types of virtual private network (VPN) software on iOS devices, most appear to work fine at first, issuing the device a new public IP address and new DNS servers, and sending data to the VPN server. However, over time the VPN tunnel leaks data.

Typically, when a users connects to a VPN, the operating system closes all existing internet connections and then re-establishes them through the VPN tunnel. That is not what Horowitz has observed in his advanced router logging. Instead, sessions and connections established before the VPN is turned on are not terminated as one would expect, and can still send data outside the VPN tunnel while it is active, leaving it potentially unencrypted and exposed to ISPs and other parties.

"Data leaves the iOS device outside of the VPN tunnel," Horowitz writes. "This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6."

Horowitz claims that his findings are backed up by a similar report issued in March 2020 by privacy company Proton, which said an iOS VPN bypass vulnerability had been identified in iOS 13.3.1 which persisted through three subsequent updates to iOS 13.

According to Proton, Apple indicated it would add Kill Switch functionality to a future software update that would allow developers to block all existing connections if a VPN tunnel is lost.

However, the added functionality does not appear to have affected the results of Horowitz's tests, which were performed in May 2022 on an iPadOS 15.4.1 using Proton's VPN client, and the researcher says any suggestions that it would prevent the data leaks are "off base."

Horowitz has recently continued his tests with iOS 15.6 installed and OpenVPN running the WireGuard protocol, but his iPad continues to make requests outside of the encrypted tunnel to both Apple services and Amazon Web Services.

As noted by ArsTechnica, Proton suggests a workaround to the problem that involves activating the VPN and then turning Airplane mode on and off to force all network traffic to be re-established through the VPN tunnel.

However, Proton admits that this is not guaranteed to work, while Horowitz claims Airplane mode is not reliable in itself, and should not be relied on as a solution to the problem. We've reached out to Apple for comment on the research and will update this post if we hear back.

Popular Stories

ios 17 iphone 15 pro status bar sos crop feature2

iPhone SOS: Verizon Experiences Major Outage Across the U.S. [Update: Fixed]

Monday September 30, 2024 9:03 am PDT by
Verizon is currently experiencing a major outage that is affecting many customers across the U.S., including iPhone users. Affected users may be unable to send or receive phone calls, send or receive text messages, or use cellular data. As a result of the network being down, many affected iPhone users are seeing "SOS" displayed in their device's status bar. In a support document, Apple says...
15 New Things Your iPhone Can Do in iOS 18

15 New Things Your iPhone Can Do in iOS 18.1

Friday September 27, 2024 6:14 am PDT by
Apple is set to release iOS 18.1 in October, bringing the first set of Apple Intelligence features to iPhone 15 Pro and iPhone 16 models. This update marks a significant step forward in Apple's AI integration, offering a new Siri contextually-aware experience and a range of additional capabilities powered by on-device machine learning and large language models. There are a couple of handy new...
m3 mbp space black

What to Expect From an Apple Event in October: iPad Mini 7, Redesigned Mac Mini, and More

Friday September 27, 2024 11:47 am PDT by
Apple will likely hold another event in October this year to announce new Macs and iPads. If so, it would be the fourth time in the last five years that Apple has held an event in October. Last year, Apple held a virtual event on Monday, October 30 to announce new MacBook Pro and iMac models with the M3 series of chips. Subscribe to the MacRumors YouTube channel for more videos. Below, we...
airpods pro 2 gradient

AirPods Pro 3 Expected Next Year: Here's What We Know

Tuesday October 1, 2024 5:47 am PDT by
Despite being released over two years ago, Apple's AirPods Pro 2 continue to dominate the wireless earbud market. However, with the AirPods Pro 3 expected to launch sometime in 2025, anyone thinking of buying Apple's premium earbuds may be wondering if the next generation is worth holding out for. Apart from their audio and noise-canceling performance, which are generally regarded as...
iphone 16 pro colors 1

iPhone 16 Pro Max Charging Speed Test Proves 45W Rumor Was Wrong

Monday September 30, 2024 8:16 am PDT by
While a Chinese regulatory filing showed that all iPhone 16 models are rated for up to 45W charging speeds, tests have since shown that the devices do not actually charge this fast. However, there are still improvements. ChargerLAB last week tested the iPhone 16 Pro Max with a variety of Apple and third-party chargers, and it found that the device achieved maximum sustained charging speeds...
iPhone SE 4 Thumb 2

Apple's Next New iPhone to Debut in the Spring: What to Expect

Tuesday October 1, 2024 3:14 am PDT by
Apple's budget-friendly iPhone SE is set for a major overhaul with a fourth generation model expected to launch in spring 2025. The upcoming model will mark a significant departure from its predecessors, adopting several features from higher-end iPhones while maintaining its position as the most affordable new model in Apple's lineup. According to recent reports, the iPhone SE 4 will sport a ...
apple silicon mac lineup wwdc 2022 feature purple

MacBook Pro, iMac, and Redesigned Mac Mini With M4 Chips on Track to Launch 'This Year'

Tuesday October 1, 2024 1:57 pm PDT by
Apple plans to release new MacBook Pro, iMac, and Mac mini models with the M4 series of chips "this year," according to Bloomberg's Mark Gurman. Gurman initially said these Macs would likely be announced during a virtual event this October, but he has been more vague about the timing lately, with wording such as "in the coming weeks" and now merely "this year." In any case, it is clear that...
iPad iOS 16 WP Display Feature eric edit

Apple May Launch First iPad-Like Smart Home Accessory Next Year

Monday September 30, 2024 2:55 am PDT by
Apple could release an iPad-like smart home accessory based on its homeOS platform as early as next year, according to Bloomberg's Mark Gurman. Writing in his latest Power On newsletter, Gurman reports that the display will run Apple apps like Calendar, Notes, and Home, and will feature an interface "optimized for controlling home appliances and quickly seeing information." Apple's...

Top Rated Comments

xxray Avatar
28 months ago
I remember this getting reported on a couple years ago, and never getting an update. I just assumed it had been fixed.

I’m so glad my privacy has been compromised for the last 2.5 years and still is being compromised while Apple knows about it and does nothing about it.
Score: 64 Votes (Like | Disagree)
antiprotest Avatar
28 months ago
While other companies screw you on the cloud, Apple screws you "on device."
Score: 44 Votes (Like | Disagree)
BootsWalking Avatar
28 months ago
This may seem like a benign annoyance but some people rely on VPNs for very important situations, like reporters who need it to protect their sources or themselves.
Score: 44 Votes (Like | Disagree)
arkitect Avatar
28 months ago
Ah, well that probably explains why on my last trip to *cough* a country that shall remain unnamed, but where the Fruit company has many things manufactured *cough* my VPN went tits up and I was unable to use my favourite search engine.

FFS Apple!
Score: 31 Votes (Like | Disagree)
VulchR Avatar
28 months ago
Nice to know Apple was faffing about with CSAM stuff while this vulnerability just sat there. Perhaps Apple should refund those of us who pay for VPN services? I live in the UK, where pretty much everybody, at every level of government, can gain access to your browsing history unless you use a VPN.
Score: 29 Votes (Like | Disagree)
JM Avatar
28 months ago
Come on, y’all. Little ol’ Apple is doing the best they can. Bless their heart.
Score: 24 Votes (Like | Disagree)