VPNs for iOS Are Broken and Apple Knows It, Says Security Researcher

Apple has known about third-party VPNs that fail to route all network traffic through a secure tunnel after they have been turned on for a long time.

After testing multiple types of virtual private network (VPN) software on iOS devices, most seem to work fine at first, issuing the device a new public IP address and new DNS server, and sending data to the VPN server, according to Michael Horowitz. The tunnel is leaking data over time.

Typically, when a users connects to a VPN, the operating system closes all existing internet connections and then re-establishes them through the VPN tunnel. That is not what Horowitz has observed in his advanced router logging. Instead, sessions and connections established before the VPN is turned on are not terminated as one would expect, and can still send data outside the VPN tunnel while it is active, leaving it potentially unencrypted and exposed to ISPs and other parties.

"Data leaves the iOS device outside of the VPN tunnel," Horowitz writes. "This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6."

According to a report issued in March 2020 by a privacy company, there was a vulnerability in the software that persisted through three subsequent updates to Apple's mobile operating system.

If a tunnel is lost, Apple will add Kill Switch to a future software update that will allow developers to block all existing connections.

The researcher says that any suggestions that it would prevent the data leaks are off base.

His iPad continues to make requests outside of the tunnel to both Apple services and Amazon Web Services despite the fact that he has recently installed the newest version of the software.

A solution to the problem that involves turning Airplane mode on and off is suggested by Proton.

This isn't guaranteed to work and should not be relied on as a solution to the problem. If we hear back from Apple, we'll update this post.