VPNs for iOS Are Broken and Apple Knows It, Says Security Researcher

Third-party VPNs made for iPhones and iPads routinely fail to route all network traffic through a secure tunnel after they have been turned on, something Apple has known about for years, a longtime security researcher has claimed (via ArsTechnica).

settings
Writing on a continually updated blog post, Michael Horowitz says that after testing multiple types of virtual private network (VPN) software on iOS devices, most appear to work fine at first, issuing the device a new public IP address and new DNS servers, and sending data to the VPN server. However, over time the VPN tunnel leaks data.

Typically, when a users connects to a VPN, the operating system closes all existing internet connections and then re-establishes them through the VPN tunnel. That is not what Horowitz has observed in his advanced router logging. Instead, sessions and connections established before the VPN is turned on are not terminated as one would expect, and can still send data outside the VPN tunnel while it is active, leaving it potentially unencrypted and exposed to ISPs and other parties.

"Data leaves the iOS device outside of the VPN tunnel," Horowitz writes. "This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6."

Horowitz claims that his findings are backed up by a similar report issued in March 2020 by privacy company Proton, which said an iOS VPN bypass vulnerability had been identified in iOS 13.3.1 which persisted through three subsequent updates to iOS 13.

According to Proton, Apple indicated it would add Kill Switch functionality to a future software update that would allow developers to block all existing connections if a VPN tunnel is lost.

However, the added functionality does not appear to have affected the results of Horowitz's tests, which were performed in May 2022 on an iPadOS 15.4.1 using Proton's VPN client, and the researcher says any suggestions that it would prevent the data leaks are "off base."

Horowitz has recently continued his tests with iOS 15.6 installed and OpenVPN running the WireGuard protocol, but his iPad continues to make requests outside of the encrypted tunnel to both Apple services and Amazon Web Services.

As noted by ArsTechnica, Proton suggests a workaround to the problem that involves activating the VPN and then turning Airplane mode on and off to force all network traffic to be re-established through the VPN tunnel.

However, Proton admits that this is not guaranteed to work, while Horowitz claims Airplane mode is not reliable in itself, and should not be relied on as a solution to the problem. We've reached out to Apple for comment on the research and will update this post if we hear back.

Top Rated Comments

xxray Avatar
8 months ago
I remember this getting reported on a couple years ago, and never getting an update. I just assumed it had been fixed.

I’m so glad my privacy has been compromised for the last 2.5 years and still is being compromised while Apple knows about it and does nothing about it.
Score: 64 Votes (Like | Disagree)
antiprotest Avatar
8 months ago
While other companies screw you on the cloud, Apple screws you "on device."
Score: 44 Votes (Like | Disagree)
BootsWalking Avatar
8 months ago
This may seem like a benign annoyance but some people rely on VPNs for very important situations, like reporters who need it to protect their sources or themselves.
Score: 44 Votes (Like | Disagree)
arkitect Avatar
8 months ago
Ah, well that probably explains why on my last trip to *cough* a country that shall remain unnamed, but where the Fruit company has many things manufactured *cough* my VPN went tits up and I was unable to use my favourite search engine.

FFS Apple!
Score: 31 Votes (Like | Disagree)
VulchR Avatar
8 months ago
Nice to know Apple was faffing about with CSAM stuff while this vulnerability just sat there. Perhaps Apple should refund those of us who pay for VPN services? I live in the UK, where pretty much everybody, at every level of government, can gain access to your browsing history unless you use a VPN.
Score: 29 Votes (Like | Disagree)
JM Avatar
8 months ago
Come on, y’all. Little ol’ Apple is doing the best they can. Bless their heart.
Score: 24 Votes (Like | Disagree)

Popular Stories

dynamic island

iPhone 15 Dynamic Island to Include New Integrated Proximity Sensor

Friday March 24, 2023 12:27 am PDT by
This year, all iPhone 15 models will include Apple's Dynamic Island that unifies the pill and hole cutouts at the top of the display, but there will also be a material change to the feature that wasn't included in the iPhone 14 Pro models. According to a new tweet by Apple industry analyst Ming-Chi Kuo, the proximity sensor on the iPhone 15 series will be integrated inside the Dynamic Island ...
apple park at night 1

Apple 'Tracking Employee Attendance' in Crackdown on Remote Working

Thursday March 23, 2023 3:41 am PDT by
Apple is tracking the attendance of its employees at offices using badge records in order to ensure they are coming in at least three times a week, according to Platformer's Zoë Schiffer. Since April 2022, Apple employees have been operating on a hybrid home/office work policy as part of a gradual return strategy following the pandemic, with staff required to work from the office at least...
iphone 14 pro max deep purple feature purple

iPhone 15 Pro Rumor Recap: 10 New Features and Changes to Expect

Thursday March 23, 2023 6:42 am PDT by
While the iPhone 15 series is still around six months away from launching, there have already been plenty of rumors about the devices. Many new features and changes have been rumored for the iPhone 15 Pro and iPhone 15 Pro Max in particular. Below, we have recapped 10 changes rumored for iPhone 15 Pro models that are not expected to be available on the standard iPhone 15 and iPhone 15 Plus:A1...
maxresdefault

Nothing Launches $149 Ear (2) Wireless Earbuds to Compete With AirPods Pro 2

Wednesday March 22, 2023 9:48 am PDT by
Nothing today announced the launch of its second-generation wireless earbuds, the Nothing Ear (2), which offer many of the same features as Apple's AirPods Pro 2 at a lower price point. We went hands-on with the Ear (2) earbuds to see whether they're a viable alternative to the AirPods Pro 2 for those who want to save some cash. The Ear (2) earbuds are the successor to the Nothing Ear (1),...
TMobile Sprint

Apple Stops Allowing Sprint iPhone Activations, Removes Sprint References From Online Store

Thursday March 23, 2023 12:06 pm PDT by
Apple is no longer allowing customers who purchase an iPhone, cellular iPad, or Apple Watch to activate a device with now-defunct mobile carrier Sprint. Apple has also removed remaining references to Sprint from its online store. When checking out with a new purchase, Sprint is no longer an option for connectivity, a change that Apple appears to have implemented today. Prior to now, Sprint...
iOS 16

iOS 16.4 for iPhone Nearing Launch With These 5 New Features

Monday March 20, 2023 11:50 am PDT by
Apple says iOS 16.4 is coming in the spring, which began this week. In his Sunday newsletter, Bloomberg's Mark Gurman said the update should be released "in the next three weeks or so," meaning a public release is likely in late March or early April. iOS 16.4 remains in beta testing and introduces a handful of new features and changes for the iPhone. Below, we have recapped five new features ...
Hero0009

Best Apple Deals of the Week: Samsung's Smart Monitor M8 Gets Massive $250 Discount, Along With Year's Best AirPods Prices

Friday March 24, 2023 10:23 am PDT by
We saw a lot of great deals on Apple products and related accessories this week, including Samsung's iMac-like Smart Monitor M8 for $250 off, a 30 percent off spring sale at Anker, and the year's best prices on numerous AirPods models. All of these deals are still available to purchase right now, so we're recapping them and more below. Note: MacRumors is an affiliate partner with some of these ...
top stories 25mar2023

Top Stories: iPhone 15 Pro Design Leak, iOS 16.4 Coming Soon, and More

Saturday March 25, 2023 6:00 am PDT by
We're still almost six months away from the official unveiling of the iPhone 15 lineup, but it seems like every day we're learning more about what to expect from the next-generation models. Notably, this week gave us our clearest look yet at what appear to be some changes for the volume and mute control hardware. iOS 16.4 and associated releases are also right around the corner with some new ...