According to a digital security researcher, VPN (Virtual Private Network), apps don’t work as they should on iOS, Apple’s mobile operating system. Apparently, there is a flaw that has been known by the company for at least two years. In practice, since the release of iOS version 13.3.1, it is impossible to guarantee that data is actually sent through the use of VPNs.
According to researcher Michael Horowitz, “VPNs on iOS are a scam”. In a blog post, the security expert claimed that the VPN apps on Apple’s mobile operating system are “broken”, preventing these apps from actually closing all existing unsecured connections.
To better understand the problem, let’s recap how VPNs are supposed to work. Generally, when the user connects to a website, their data is first sent to the internet provider or operator. Subsequently, the information is forwarded to the intended server.
This means that your data can be seen by your internet service provider, including your location and which websites and services you access online. When using a VPN, information is sent encrypted to a secure server, creating a layer of protection during data traffic. This way, your IP address, and location, for example, are not exposed.
VPNs on iOS Are “Broken”
However, this does not work correctly when using a VPN service on iOS. The app was supposed to close all existing unsecured connections and reopen them in a direct “tunnel” to send your data to the private server. According to Horowitz, iOS systems don’t allow these VPN apps to really prevent data exposure by not closing all unsecured routes.
According to the researcher, VPNs seem to work normally on Apple’s mobile devices. However, the reality is that these apps are “broken” on iOS. The device actually features a new IP address and new DNS servers. In addition, the data is also sent to the private server.
However, upon closer inspection by Horowitz, he identified that the data sent by the device leaks outside the “tunnel” traditionally created when using a VPN app. This means that if the iOS user activates the service thinking it is safe and sends confidential information, the first data can leak through connections that have not been closed.
This problem had already been first identified by ProtonVPN, still in March 2020. A member of the Proton community found that the flaw has been present at least since iOS version 13.3.1. The latest tests were performed on iOS 15.6, proving that the issue still exists.
Apple says the fix exists since 2019
When asked about the flaw by 9to5Mac, Apple stated that it offers a way for VPN app developers to fix the issue. However, the researchers did not identify the aforementioned fix in any of the tested VPN apps.
Also, while Apple insists it has had a fix since 2019, ProtonVPN says it’s only a partial fix. This fix made available to VPN application developers was actually presented by the company during the WWDC 2019 event. However, the measure that would fix the flaw is disabled by default.
Proton told 9to5Mac that it was aware of this alleged solution and tested it when it was announced by Apple. Even so, the company identified that the fix is only partially effective and unsecured connections remain open after activating a VPN app.
According to Proton CEO Andy Yen, the company decided to expose the flaw after Apple told him that it would not offer a 100% effective solution to the identified problem. “We first notified Apple of this issue two years ago. Apple has refused to patch the issue, which is why we have disclosed the vulnerability to protect the public,” said the executive.