Skip to main content

iOS VPN apps are broken, says security researcher, and Apple has known for years

Update: Apple does appear to have introduced an (optional) fix for this as of iOS 14, but questions remain – see update at end.

A well-known security researcher says that iOS VPN apps (virtual private networks) are broken, due to a flaw that he claims Apple has known about for at least two and a half years.

This backs a previous report by ProtonVPN that a VPN vulnerability has been present on iOS devices since at least iOS 13.3.1, and that there is no 100% reliable way of ensuring that your data is being sent via the VPN …

Michael Horowitz’s actual words are a little blunter than our headline. His blog post about the issue is titled “VPNs on iOS are a scam.”

How VPNs (are supposed to) work

Normally, when you connect to a website or other server, your data is first sent to your ISP or mobile data carrier. They then forward it to the remote server. That means that your ISP can see who you are and which sites and services you are accessing.

When using public Wi-Fi hotspots, you’re also at risk from what are known as man-in-the-middle (MITM) attacks. This is when a bad actor creates a Wi-Fi hotspot that mimics a genuine one, but which routes all traffic through their system first, letting them log all of your data. This is easy to do, and can be as simple as plugging a power-brick-size device into a coffee shop power outlet.

A VPN instead sends your data in encrypted form to a secure server. Your data is protected from an ISP, carrier, or hotspot operator. All they can see is that you are using a VPN. The usual analogy is it’s like using a secret tunnel from your device to the VPN server.

Similarly, the websites and servers you are accessing don’t get access to your IP address, location, or other identifying data – your traffic appears instead to be originating from the VPN server.

Why iOS VPN apps are broken

As soon as you activate a VPN app, it should immediately close down all existing (non-secure) data connections, and then reopen them inside the secure “tunnel.” This is an absolutely standard feature of any VPN service.

The problem, says Horowitz, is that iOS doesn’t allow VPN apps to close all existing non-secure connections.

VPNs on iOS are broken. At first, they appear to work fine. The iOS device gets a new public IP address and new DNS servers. Data is sent to the VPN server. But, over time, a detailed inspection of data leaving the iOS device shows that the VPN tunnel leaks. Data leaves the iOS device outside of the VPN tunnel.

This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6.

This is a big deal because existing insecure connections can last for several minutes at a time, meaning that if you switch on your VPN in order to do something confidential, the first things you do may not be protected.

It gets worse in the case of Apple’s push notifications, as those connections can remain open for hours, not minutes.

ProtonVPN first identified this issue back in March 2020.

A member of the Proton community discovered that in iOS version 13.3.1, the operating system does not close existing connections. (The issue also persists in the latest version, 13.4.) Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel. […]

Neither Proton VPN nor any other VPN service can provide a workaround for this issue because iOS does not permit a VPN app to kill existing network connections.

Later in the year, the company added an update to say that Apple still hadn’t fixed the problem, but was providing app developers with the ability to add a manual “kill switch” feature, which would close all data connections on request. The company said it would be adding this, but then ceased updating the post in October 2020.

Horowitz’s lengthy post describes how he identified the problem as an iOS one, by using multiple devices and multiple VPN apps. He also said that when he notified Apple, the company initially engaged with him, but later went silent.

To date, roughly five weeks later, Apple has said virtually nothing to me. They have not said whether they tried to re-create the problem. They have not said whether they agree on this being a bug. They have not said anything about a fix. 

It takes so little time and effort to re-create this, and the problem is so consistent, that if they tried at all, they should have been able to re-create it. None of my business. Maybe they are hoping, that like ProtonVPN, I will just move on and drop it. Dunno.

Is there a workaround?

Proton suggested switching on Airplane Mode, then switching it off, but says it cannot guarantee this will work. Horowitz tested it and found that it used to work, back on iOS 12.5.5, but does not do so in iOS 15.

I would expect that rebooting the phone would work, but Horowitz doesn’t appear to have specifically tested this.

He instead says that for now the only option is to connect to a secure router, with built-in VPN – but this doesn’t help with mobile connections, which is when you’re most likely to need a VPN.

We’ve reached out to Apple, and will update with any response.

Update

It appears that Apple does offer a way for VPN app developers to fix this.

var includeAllNetworks: Bool { get set }

If this value is true and the tunnel is unavailable, the system drops all network traffic. The default value is false.

This was announced in a WWDC session in 2019 (video).

However, for some reason it is off by default. It’s unclear why this would be, and why it seemingly hasn’t been implemented by any of the VPN apps tested.

Photo: Petter Lagson/Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications