A security researcher says Apple’s iOS devices don’t route all network traffic entirely through VPNs, as a user might expect, a potential security issue the device maker has known about for years.
Longtime computer security blogger and researcher Michael Horowitz puts it bluntly — albeit controversially — in a constantly updated blog post. “VPNs on iOS are broken,” he says.
Any third-party VPN seems to work initially, giving the device a new IP address, DNS servers, and tunnel for new traffic, Horowitz writes. Sessions and connections established before a VPN was activated, however, are not terminated and, according to Horowitz’ findings with enhanced router logging, can still send data outside of the VPN tunnel while it is active.
In other words, you might expect a VPN client to terminate existing connections before establishing a secure connection so they can reconnect inside the tunnel. But iOS VPNs can’t seem to do that, says Horowitz, a finding supported by a similar May 2020 report.
“Data exits the iOS device outside of the VPN tunnel,” writes Horowitz. “This is not a classic/old DNS leak, it is a data leak. I have confirmed this with multiple types of VPN and software from multiple VPN providers. The latest version of iOS I tested with is 15.6.”
Privacy company Proton previously reported an iOS VPN bypass vulnerability that appeared in at least iOS 13.3.1. Like Horowitz’s post, ProtonVPN’s blog noted that a VPN will typically close all existing connections and reopen them within a VPN tunnel, but that hasn’t happened on iOS. Most established connections will eventually end up in the tunnel, but some, like Apple’s push notification service, can take hours.
The main problem with non-tunneled connections is that they could be unencrypted and the user’s IP address and what they are connecting to can be seen by ISPs and other parties. “Those most at risk from this vulnerability are people in countries where surveillance and human rights abuses are rampant,” ProtonVPN wrote at the time. This may not be a pressing concern for typical VPN users, but it’s worth noting.
ProtonVPN confirmed that the VPN bypass persisted in three subsequent iOS 13 updates. ProtonVPN indicated in its blog post that Apple would add functionality to block existing connections, but this added feature didn’t appear to change Horowitz’s findings.
Horowitz tested ProtonVPN’s app on an iOS 15.4.1 iPad in mid-2022 and found that it still allowed persistent, non-tunneled connections to Apple’s push service. The kill switch feature added to ProtonVPN, which describes its function of blocking all network traffic if the VPN tunnel is lost, did not prevent leaks, according to Horowitz.
Horowitz tested again on iOS 15.5 with a different VPN provider and iOS app (OVPN running the WireGuard protocol). His iPad continued to make requests to Apple services and Amazon Web Services.
ProtonVPN had suggested a workaround that was “almost as effective” as manually closing all connections when starting a VPN: connect to a VPN server, turn on Airplane mode, then turn it off again. “Your other connections should also reconnect inside the VPN tunnel, although we can’t 100% guarantee this,” ProtonVPN wrote. Horowitz suggests that iOS’ Airplane Mode features are so confusing that this isn’t an answer.
Ars Technica has reached out to both Apple and OpenVPN for comment and will update this article with any responses.
Horowitz’s post doesn’t offer any details on how iOS might fix the problem. He also doesn’t address VPNs that offer “split tunneling,” instead focusing on the promise that a VPN captures all network traffic. For his part, Horowitz recommends a $130 dedicated VPN router as a truly secure VPN solution.
VPNs, especially commercial offerings, remain a complicated piece of internet security and privacy. Choosing the “best VPN” has long been a challenge. VPNs can be shut down by vulnerabilities, unencrypted servers, greedy data brokers, or being owned by Facebook.
This story originally appeared on Ars Technica.
What is a VPN on an iPhone? A VPN service encrypts your traffic between your iOS devices and the internet. It protects your privacy. A virtual private network also protects your iPhone from data sniffers and cybercriminals.
What does turning on VPN in iPhone settings do?
A. To protect yourself and your data from such ISPs and networks, you can enable VPN on your iPhone. Once VPN is enabled, your iPhone creates a secure and encrypted tunnel to the reinforced VPN servers and all traffic between the two is kept hidden from local ISPs and public Wi-Fi networks.
Should I enable VPN in iPhone Settings? Should I use a VPN on my iPhone? yes you should We hear a lot of discussion about VPNs and their benefits for individuals and businesses. Increasingly concerned about their privacy and data security, people have already installed a VPN app on their desktops or Android phones.
What is the purpose of VPN on iPhone?
A VPN, or Virtual Private Network, routes all of your internet activity over a secure, encrypted connection that prevents others from seeing what you’re doing online and where you’re doing it from. Basically, a VPN provides an extra layer of security and privacy for all your online activities.
Should I turn VPN on or off?
VPNs offer the best online security, so you should always keep your VPN turned on to protect against data leaks and cyberattacks while using public WiFi, and from intrusive snoopers like ISPs or advertisers. So keep your VPN on at all times.
What happens if I turn off VPN on my iPhone?
When you disconnect a VPN, you disable additional online security and privacy that it offers. Without a virtual private network, you cannot have a secure connection on http websites, which can put you at risk. Your traffic remains unencrypted and your IP is visible, so your connection is no longer private.
Why You Shouldn’t Use a VPN?
The 10 biggest VPN cons are: A secure, high-quality VPN will cost you money: Read More VPNs almost always slow down your connection speeds: Read More Using a VPN on mobile increases data usage: Read More Some online services try to ban VPN users: read more.
Is it Safe to Use VPN with Home WiFi? In any case, VPN is highly recommended, especially when working with sensitive data. You should leave it on most of the time to protect yourself from hackers, data leaks, leaks and intrusive snoopers like ISPs or advertisers. VPNs encrypt your traffic and protect your privacy from third parties and cybercriminals.
Why don’t you need a VPN?
Trackers often collect data that you might not want out there, but using a VPN can’t always protect against that. “If you’re worried about people selling your data, worry about Facebook and Google Ads,” said Chester Wisniewski, senior research scientist at security firm Sophos. “No VPN will help you with that.”
What are the dangers of using a VPN?
VPNs are unsafe because they expose entire networks to threats like malware, DDoS attacks, and spoofing attacks. Once an attacker has entered the network via a compromised device, the entire network can be shut down.
What is VPN on iPhone and how does it work?
A VPN encrypts the connection between your iPhone or iPad and the internet. This gives you privacy as it blocks your ISP (and everyone else) from seeing what websites you visit and helps make you anonymous to websites so they can’t track you (unless you log in, of course). at them).
Do you need a VPN if you have an iPhone? While iPhone is super secure, it can’t stand alone against the threats that lurk behind public Wi-Fi networks. A VPN connection protects your online traffic and data from eavesdropping, constant ad tracking, Wi-Fi spoofing, and cybercriminals when connected to public Wi-Fi networks.
Do iPhones have a built-in VPN?
So… is there a built-in VPN on your iPhone? The short answer: no. The iPhone doesn’t have its own built-in VPN, and Private Relay is certainly not the answer. It’s worth noting that this isn’t the case with any other device from Apple either.
Should VPN be on or off on my phone?
If your VPN is there to keep you safe and anonymous, you’ll probably want to keep it on as much as possible. There are many apps on your phone sending data in and out in the background and this could compromise your anonymity if your VPN is turned off.
What happens when I enable VPN on my phone? What is a VPN? A virtual private network (VPN) hides Internet data transmitted to and from your device. VPN software resides on your devices – be it a computer, tablet or smartphone. It sends your data in an encrypted format (this is called encryption) that is unreadable by anyone who wants to intercept it.
What happens if I disable VPN?
When you disconnect a VPN, you disable additional online security and privacy that it offers. Without a virtual private network, you cannot have a secure connection on http websites, which can put you at risk. Your traffic remains unencrypted and your IP is visible, so your connection is no longer private.
Should I keep my VPN on my phone all the time?
Yes, and let’s explain why. The answer to the question “Should I keep a VPN on?” is yes. VPNs offer the best online security, so you should always keep your VPN turned on to protect against data leaks and cyberattacks while using public WiFi, and from intrusive snoopers like ISPs or advertisers.
Sources :