iOS VPNs Still Failing to Protect User Data, Researchers Say

By Ava McKinneyOnline Safety

Researchers Say VPNs on iOS Still Don’t Work Properly

Several years ago, engineers from Proton Technologies—the company behind ProtonMail and ProtonVPN—reported a bug in iOS 13.3.1 that prevented VPN apps from encrypting all traffic. According to cybersecurity experts, this issue still hasn’t been fixed.

Background: The VPN Bug in iOS

In 2020, Proton Technologies explained that when a VPN is enabled, the operating system should close all existing internet connections and re-establish them through the VPN tunnel to protect user privacy and data. However, iOS fails to close existing connections for some reason, leaving some traffic unprotected. While new internet connections are routed through the VPN tunnel, connections that were already active when the user connected to the VPN server remain outside the tunnel.

Although unprotected connections are becoming less common, the main problem is that the user’s IP address and the server’s IP address remain exposed. This means the server can see the user’s real IP address instead of the VPN server’s IP.

Ongoing Issue and Lack of Fixes

As reported by The Register, Proton Technologies researchers have been waiting for a patch for a long time. They periodically updated their report to note that no fix had been released, even though Apple was aware of the problem. Until recently, the last update was dated October 19, 2020, stating that the vulnerability still hadn’t been fully resolved in iOS 13.4, 13.5, 13.6, 13.7, and 14.

Earlier this year, cybersecurity researcher and developer Michael Horowitz revisited the issue and found that VPNs on iOS still don’t work correctly and can cause data leaks.

“VPNs on iOS do not work,” Horowitz wrote in early August in a post titled “VPNs on iOS are a scam.” “At first, they seem to work fine. The iOS device gets a new public IP address and new DNS servers. Data is sent to the VPN server. But over time, a detailed inspection of data leaving the device shows that the VPN tunnel is ‘leaking.’ Data leaves the iOS device outside the VPN tunnel. This is not a typical DNS leak; it’s a data leak.”

Horowitz said that in May 2022, he emailed Apple about the leak. By July, after exchanging several emails with the company, he reported no progress:

“To this day, about five weeks later, Apple has told me almost nothing. They haven’t said whether they tried to reproduce the issue. They haven’t said whether they agree it’s a vulnerability. They haven’t said anything about a fix.”

Apple’s Response and Remaining Issues

On August 18, 2022, Proton Technologies experts updated their old report again. They noted that the “kill switch” feature Apple introduced for developers with iOS 14 does block additional network traffic, but “some DNS requests from Apple services may still be sent outside the VPN connection.”

They added:

“This is similar to the situation we reported two years ago. Most connections are short-lived and eventually re-establish themselves through the VPN tunnel. However, some last longer and can remain open outside the tunnel for several minutes to several hours.

We have repeatedly raised this issue with Apple. Unfortunately, fixing the problem is quite challenging. Apple has stated that this behavior is ‘expected,’ and that ‘Always On VPN is only available on devices managed via MDM.’ We urge Apple to make fully secure internet access available to everyone, not just those connected to a proprietary remote device management framework designed for enterprises.”

Leave a Reply