Skip to main content

iPhone VPN app security debate continues, as Apple says it’s fixed, VPN companies say not [U]

Update: AmpliFi, which offers routers with built-in VPN capabilities, backs Proton’s position that the fix doesn’t reliably work – see below.

A debate about whether iPhone VPN app security is flawed continues today, with Apple insisting it has offered a fix since 2019, while ProtonVPN says that it’s only a partial solution.

The controversy began when a well-known security researcher said that iOS virtual private network (VPN) apps are broken, due to a flaw that he claims Apple has known about for at least two and a half years. This backed a previous report by ProtonVPN …

If you’re not familiar with how VPNs work, please check out the brief primer in yesterday’s post.

iPhone VPN app security issue

As soon as you activate a VPN app, it should immediately close down all existing (non-secure) data connections, and then reopen them inside the secure “tunnel.” This is an absolutely standard feature of any VPN service.

But security researcher Michael Horowitz did some testing, and found that not all existing connections were closed when a VPN app is activated. That means that some data continues to be sent over an unsecured link. This was true of multiple iOS VPN apps on multiple devices.

In some cases, those insecure connections can persist for a few minutes. This is already a big deal because some people activate their VPN immediately before doing something sensitive, but Horowitz found that some connections can remain up for hours. This includes Apple’s own push notifications.

His tests backed up a 2020 complaint by ProtonVPN. They discovered the problem in iOS 13.3.1, and say that the flaw remains in place today.

Proton notified Apple, but says that it failed to take any action.

Apple says it has offered a fix since 2019

Apple announced what appeared to be a way for VPN app developers to solve the problem in a WWDC session in 2019 (video).

var includeAllNetworks: Bool { get set }

If this value is true and the tunnel is unavailable, the system drops all network traffic. The default value is false.

However, for some reason, it is off by default. It’s unclear why this would be, and why it seemingly hasn’t been implemented by any of the VPN apps tested.

Proton says it is only a partial fix

Proton told me that it was aware of the claimed fix, and had tested it at the time. However, the company found that it was only partially effective. Insecure connections to some Apple services remain in place after a VPN is activated.

Proton founder and CEO Andy Yen said that they made the decision to make the flaw public after Apple told them it would not be offering a full fix.

“The fact that this is still an issue is disappointing to say the least. We first notified Apple privately of this issue two years ago. Apple declined to fix the issue, which is why we disclosed the vulnerability to protect the public. Millions of people’s security is in Apple’s hands, they are the only ones who can fix the issue, but given the lack of action for the past two years, we are not very optimistic Apple will do the right thing.”

Amplifi says Apple’s fix is unstable

Amplifi responded to a customer query by saying that it had tested the fix, and found it caused reliability problems.

Confusion remains

Horowitz additionally pointed out that even iOS doesn’t seem to know whether or not a VPN service is active.

We’ve again reached out to Apple for a response to the latest episode in the iPhone VPN app security issue.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications