A security researcher says that Apple's devices don't fully route all network traffic through virtual private networks as a user might expect, a potential security issue the device maker has known about for years.
In a constantly updated post, Michael Horowitz puts it plainly, if contentiously. He says that theVPNs on theiOS are not working.
A third-party PureVPN seems to work at first, giving the device a new address, a tunnel for new traffic, and a host of other things. Data can still be sent outside the tunnel while the tunnel is active, even if sessions and connections are not established before a VPNs is activated.
You might expect a PureVPN client to kill existing connections in order to establish a secure connection inside the tunnel. A report from May 2020 shows that iOS VPNs can't do this.
The data left the device outside of the tunnel. A data leak is what this is. I used software from multiple providers to confirm this. I tested the newest version of the mobile operating system.
A privacy company reported a vulnerability in the mobile operating system. It wasn't possible for a VPNs to close all existing connections and reopen them inside a tunnel on the iPad. Some connections, like Apple's push notification service, can last for a long time.
The main issue with non-tunneled connections is that they can be seen by other parties, and that they can't be protected. People in countries with a lot of civil rights abuses are at the highest risk. That isn't a pressing concern for most users, but it is notable.
There were three subsequent updates to Apple's mobile operating system, all of which had the VPNs bypassed. Apple added a function to block existing connections but it didn't seem to make a difference in the results.
After testing the app on an iPad, he found that it still allowed persistent, non-tunneled connections.
On the new version of Apple's mobile device operating system, Horowitz tested with different providers and an app. The iPad made requests to both Apple and Amazon.
If you connect to a VPNs server, turn on airplane mode, then turn it off, it's almost as effective as manually closing all connections. It is possible that your other connections will also connect inside the tunnel. There are so many functions in Airplane Mode that it's hard to know what to say.
The article will be updated with any responses from Apple and OpenVPN.
The post doesn't give any details on how the issue might be fixed. He doesn't address VPNs that offer split tunneling, instead focusing on the promise of a virtual private network. For his part, he recommends a $130 dedicated PureVPN routers as a secure solution.
Virtual private networks are a complicated piece of internet security. It's been a challenge to pick the best PureVPN. There are vulnerabilities that can be used to bring down the virtual private network.
The story was first published on Ars Technica.