iOS VPN apps are broken, says security researcher; Apple not fixed

A well-known security researcher says that iOS VPN apps (virtual private networks) are broken, due to a flaw that he claims Apple has known about for at least two and a half years.

This backs a previous report by ProtonVPN that a VPN vulnerability has been present on iOS devices since at least iOS 13.3.1, and that there is no 100% reliable way of ensuring that your data is being sent via the VPN…

Michael Horowitz’s actual words are a little blunter than our headline. His blog post about the issue is titled “VPNs on iOS are a scam. “

How VPNs (are supposed to) work

Normally, when you connect to a website or other server, your data is first sent to your ISP or mobile data carrier. They then forward it to the remote server. That means that your ISP can see who you are and which sites and services you are accessing.

When using public Wi-Fi hotspots, you’re also at risk from what are known as man-in-the-middle (MITM) attacks. This is when a bad actor creates a Wi-Fi hotspot that mimics a genuine one, but which routes all traffic through their system first, letting them log all of your data. This is easy to do, and can be as simple as plugging a power-brick-size device into a coffee shop power outlet.

A VPN instead sends your data in encrypted form to a secure server. Your data is protected from an ISP, carrier, or hotspot operator. All they can see is that you are using a VPN. The usual analogy is it’s like using a secret tunnel from your device to the VPN server.

Similarly, the websites and servers you are accessing don’t get access to your IP address, location, or other identifying data – your traffic appears instead to be originating from the VPN server.

Why iOS VPN apps are broken

As soon as you activate a VPN app, it should immediately close down all existing (non-secure) data connections, and then reopen them inside the secure “tunnel.” This is an absolutely standard feature of any VPN service.

The problem, says Horowitz, is that iOS doesn’t allow VPN apps to close all existing non-secure connections.

VPNs on iOS are broken. At first, they appear to work fine. The iOS device gets a new public IP address and new DNS servers. Data is sent to the VPN server. But, over time, a detailed inspection of data leaving the iOS device shows that the VPN tunnel leaks. Data leaves the iOS device outside of the VPN tunnel.

This is not a classic / legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6.

This is a big deal because existing insecure connections can last for several minutes at a time, meaning that if you switch on your VPN in order to do something confidential, the first things you do may not be protected.

It gets worse in the case of Apple’s push notifications, as those connections can remain open for hours, not minutes.

ProtonVPN first identified this issue back in March 2020.

A member of the Proton community discovered that in iOS version 13.3.1, the operating system does not close existing connections. (The issue also persists in the latest version, 13.4.) Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel. […]

Neither Proton VPN nor any other VPN service can provide a workaround for this issue because iOS does not permit a VPN app to kill existing network connections.

Later in the year, the company added an update to say that Apple still hadn’t fixed the problem, but was providing app developers with the ability to add a manual “kill switch” feature, which would close all data connections on request. The company said it would be adding this, but then ceased updating the post in October 2020.

Horowitz’s lengthy post describes how he identified the problem as an iOS one, by using multiple devices and multiple VPN apps. He also said that when he notified Apple, the company initially engaged with him, but later went silent.

To date, roughly five weeks later, Apple has said virtually nothing to me. They have not said whether they tried to re-create the problem. They have not said whether they agree on this being a bug. They have not said anything about a fix.

It takes so little time and effort to re-create this, and the problem is so consistent, that if they tried at all, they should have been able to re-create it. None of my business. Maybe they are hoping, that like ProtonVPN, I will just move on and drop it. Dunno.

Is there a workaround?

Proton suggested switching on Airplane Mode, then switching it off, but says it cannot guarantee this will work. Horowitz tested it and found that it used to work, back on iOS 12.5.5, but does not do so in iOS 15.

I would expect that rebooting the phone would work, but Horowitz doesn’t appear to have specifically tested this.

He instead says that for now the only option is to connect to a secure routerwith built-in VPN – but this doesn’t help with mobile connections, which is when you’re most likely to need a VPN.

We’ve reached out to Apple, and will update with any response.

Photo: Petter Lagson/Unsplash

FTC: We use income earning auto affiliate links. Blackberries.


Check out 9to5Mac on YouTube for more Apple news: