A flaw in Apple’s iOS since at least version 13.3.1 is making VPN apps ineffective on iPhones. Security researcher Michael Horowitz describes this issue as a leak in the VPN tunnel as iOS doesn’t allow VPN apps to close down all unsecured connections meaning there’s no reliable way to guarantee that your data is actually being sent through the VPN tunnel you’re using.
Horowitz claims that Apple has known this since at least March 2020, when ProtonVPN disclosed this vulnerability to Apple. Since then, the bug has continued to exist despite multiple updates to iOS and is still active in iOS 15.6.
The way VPNs are supposed to work is by sending all your data in an encrypted form to a secure server, and reopening it inside a secure VPN tunnel. This protects your data from your ISP, carrier or hotspot operator depending on the source of your internet source.
What happens with iOS instead is that the operating system doesn’t allow VPN apps to close all existing non-secure data connections and reopen them inside a secure VPN tunnel. The VPN might appear to work fine with your device getting a new IP address, DNS server and data traffic flowing through the VPN server.
Horowitz confirmed that this isn’t a usual DNS leak as your data might leave your iOS device outside of the VPN tunnel itself. This gets worse as the leaks can persist for minutes or in the case of Apple’s push notifications, sometimes even hours on end.
VPN providers can’t do anything about the issue either as iOS doesn’t allow VPN apps to kill existing network connections. The only workaround as suggested by ProtonVPN, was to connect to a VPN network, then toggle airplane mode on and off to force network activity to go through the VPN tunnel you’re using. As reported by Horowitz, this workaround used to work on iOS 12.5.5, but doesn’t work on iOS 15.
Apple’s mitigation to the situation requires using the on-device always-on VPN, but that prevents users from using any third-party VPNs as the process requires setting up a VPN in iOS’ device management settings.
For now, the only reliable way to ensure all your device data is going through a VPN is to connect to a secure router with a built-in VPN. However, that defeats the purpose of a VPN app as it won’t work with mobile connections.
In the News: GoI’s VLC ban is a security and privacy risk