A well-known security researcher says that third-party VPNs made for iOS and iPadOS routinely fail to route all of the device’s network traffic through a secure tunnel, and Apple has known about the issue for years. (Via ArsTechnica)
Writing on his blog, security researcher Michael Horowitz says he tested multiple types of virtual private network (VPN) software on iOS devices. He said that most VPNs appear to work properly at first, providing a new IP address and new DNS servers for the device, then sending data through a VPN server. However, he says that over time, data leaks began to form in the VPN tunnel.
“Data leaves the iOS device outside of the VPN tunnel,” Horowitz writes. “This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6.”
Horowitz says that rather than the operating system closing all existing internet connections and then re-establishing them through the VPN tunnel, as is traditional, he didn’t see that on iOS. Instead, he saw sessions and connections established before the VPN was turned on were not terminated, and could still send data outside the VPN tunnel while it is active. This leaves the data it sends potentially unencrypted and exposed to ISPs and other monitoring parties.
Privacy company Proton in March 2020 issued a report with similar findings, which said an iOS VPN bypass vulnerability had been identified in iOS 13.3.1 and continued to hang around through three subsequent updates to iOS 13.
The company said at the time that Apple would be adding Kill Switch functionality in a future update to allow developers to block all existing connections if VPN connectivity was lost.
However, Horowitz’s tests show the added functionality does not prevent data leaks.
Proton suggests a workaround to the problem that involves activating the VPN and then turning Airplane mode on and off to force all network traffic to be re-established through the VPN tunnel. Users are cautioned that the technique is not guaranteed to work, as Horowitz claims Airplane mode is not reliable in itself, and should not be relied on as a solution to the problem.