A VPN is a “virtual private network” that can hide and encrypt your data connection on a device, such as the iPhone, by redirecting it through specially configured remote servers that are run by a VPN host. While there are plenty of third-party VPN apps on the App Store, they may not be working as intended because not all traffic is encrypted, according to Michael Horowitz, a self-proclaimed independent computer consultant and blogger, who has published a lengthy post about this specific problem. He also claims that Apple is aware of the issue but has yet to do anything about it since it was first discovered in 2020.
iOS has had this VPN security vulnerability since 2020
According to AppleInsider, this iOS VPN vulnerability was originally discovered in March 2020 by a VPN firm called ProtonVPN. Typically, when a user turns a VPN on, the operating system should then terminate all active internet connections and then automatically re-establish the connections through the VPN, preventing any kind of data leakage from occurring. But since iOS 13.3.1 and later, a bug was found where the active connection wasn’t actually terminated before establishing a new connection through the VPN. In short, the user would continue to use the insecure connection that they were on before connecting through the VPN.
This is a major security risk because those who may use a VPN may be in countries that have strict surveillance and civil rights abuse, according to ProtonVPN.
iOS VPNs could be leaking your data
With the new report from Horowitz, he looked at a data stream on an iPad while using a variety of different VPNs. It is demonstrated numerous times that the data leak vulnerability still exists, and the leaks can be quite significant. It appears that though Apple was made aware of this issue back in 2020, the company has done nothing to address it.
“At first, they appear to work fine,” Horowitz wrote in his report. “But, over time, a detailed inspection of data leaving the iOS device shows that the VPN tunnel leaks. When he switches to a newly updated iPad, Horowitz continues to observe the data leaving the iOS device outside of the VPN tunnel. He simply describes this as “another flood of requests…traveling outside the VPN tunnel.”
Further in the report, Horowitz says he stopped observing after repeatedly getting the same results. For him, he said that he is just interested in whether or not there is a problem, and he isn’t interested in being the one to define or debug the vulnerability. “That’s for Apple,” Horowitz said.
Horowitz has attempted to discuss this vulnerability with Apple and the government’s Cybersecurity and Infrastructure Security Agency (CISA), but those attempts have failed.
“At this point, I see no reason to trust any VPN on iOS,” Horowitz said. Instead, he suggests making direct VPN connections in a router through VPN client software, rather than use a VPN app on your current iPhone or iPad.
It should be noted that the research Horowitz conducted focused solely on VPN apps from third-party developers. His research was not on Apple’s own Private Relay feature in iCloud+. However, Apple has continuously said that Private Relay is different from a VPN and should not be looked at as the same thing.
