A cyber security researcher, Micheal Horowitz claims that “broken” iOS VPN apps fail close to the VPN tunnel after a connection is active and leak users’ data. The security flaw has existed since 2020, and it still persists in the latest iOS versions as well.
Virtual Private Network (VPN) app creates a new public IP address and DNS servers for the device and sends data to the VPN server. Ideally, when a VPN connection is active, the OS closes all existing internet connections and re-establishes them through the VPN tunnel.
Horowitz is highlighting the same issue that a privacy company, ProtonVPN, did in March 2020. The tech giant provided a “kill switch” capability to developers claiming that it would block existing connections whenever VPN would be enabled. And ProtonVPN added the “kill switch” capability to its iOS VPN app.
ProtonVPN backs researcher finding that reveals Apple’s patch for iOS VPNs security vulnerability is ineffective
When Horowitz tested Proton and other VPN apps on iOS 15.4.1 and iOS 15.5 in mid-2022, he found that the vulnerability continues to exist in spite of Apple’s “kill switch” tech.
Horowitz has found that iOS VPN apps do not terminate the connections established for the VPN is active and expose users’ unencrypted data like their IP address to ISPs and other parties, even when the connection is active. Horowitz wrote:
“Data leaves the iOS device outside of the VPN tunnel. This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6.”
Backing Horowitz, ProtonVPN released a statement that states the new findings were the same as the situation it report to Apple two years ago and called on the tech giant to completely ensure users’ online safety.
We’ve raised this issue with Apple multiple times. Unfortunately, its fixes have been problematic. Apple has stated that their traffic being VPN-exempt is “expected”, and that “Always On VPN is only available on supervised devices enrolled in a mobile device management (MDM) solution”.
We call on Apple to make a fully secure online experience accessible to everyone, not just those who enroll in a proprietary remote device management framework designed for enterprises.
Founder and CEO of Proton Andy Yen also expressed disappointment over the fact that the VPN security vulnerability still exists and the company’s lack of action.
The fact that this is still an issue is disappointing to say the least. We first notified Apple privately of this issue two years ago. Apple declined to fix the issue, which is why we disclosed the vulnerability to protect the public. Millions of people’s security is in Apple’s hands, they are the only ones who can fix the issue, but given the lack of action for the past two years, we are not very optimistic Apple will do the right thing.”
- Apple’s new iCloud Private Relay puts VPNs to shame by strengthening browsing privacy – Report
- New scam apps exposed on App Store, online casino disguised as kids game and fraudulent VPN app
- Apple responds to ProtonVPN allegations with timeline, suggesting app update rejection was unrelated to Myanmar unrest