Analytics & Intelligence API Security Application Security Cloud Security Cloud Security Cybersecurity Data Privacy Data Security Editorial Calendar Endpoint Featured Identity & Access Incident Response Mobile Security Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Spotlight Threats & Breaches Vulnerabilities 

VPNs Don’t Work on iOS — and Apple Doesn’t Care

by Richi Jennings on August 19, 2022

“VPNs on iOS are a scam.” That’s what an angry security researcher would have you believe. He’s fed up of reproducing and documenting a serious iOS bug that Apple just won’t fix.

“Privacy. That’s iPhone.” This is what Tim Cook (pictured) would have you believe. But how could you believe him, if you can’t trust any VPN on your phone? Oh, and Apple has ignored the problem for years.

Part of the problem is iOS restricts VPN apps from setting the default gateway. There’s no API to do this, nor to close existing connections.

What use is a VPN that randomly leaks data? In today’s SB Blogwatch, we pit Horowitz vs. Cook.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Bluey.

VPN: The P is for PR — bad PR

What’s the craic? Karen Haslam reports—“iPhone VPN apps are ‘a scam,’ security researcher warns–and Apple knows it”:

It’s been two years
A well-known security researcher accuses VPNs installed on an iPhone or iPad of leaking data while Apple turns a blind eye. … He was able to confirm the data leaks using multiple types of VPN and software from multiple VPN providers.

All sessions and connections established prior to the VPN being activated should be terminated and this is not happening … which means that data can still be sent outside the VPN. … VPNs are often implemented because a user wants to protect their data, but if data is leaving their device and not travelling through the VPN tunnel the VPN is failing to do its job.

Apple is yet to address the issue … publicly. It’s been two years since it was first raised.

Why does it matter? Jeff Butts me no buts—“Your iOS VPN Isn’t As Secure As You Think”:

Apple acknowledged the issue in 2020
Many people use a VPN to bolster their online security. The expectation is that all internet traffic gets encrypted through the VPN.

Unfortunately … a long-time bug in iOS means your VPN isn’t nearly as secure as you think. Worse yet, Apple’s known about the issue for years.

ProtonVPN discovered the bug in 2020, and disclosed it to Apple. … Apple acknowledged the issue … and said it was looking into ways to fully mitigate it. [Since then] Apple has not commented … on the state of this bug, or if it is still actively exploring ways to solve it.

Who is this turbulent priest? Michael Horowitz—“VPNs on iOS are a scam”:

Apple has a level of trust that they do not deserve
I see no reason to trust any VPN on iOS. … At first, they appear to work fine. … But, over time, a detailed inspection of data leaving the iOS device shows … data leaves the iOS device outside of the VPN tunnel.

The bug that ProtonVPN first wrote about in March 2020, still exists. … The latest version of iOS that I tested with is 15.6. [It] still does not terminate existing connections/sessions when it creates a VPN tunnel. This presents assorted dangers. Connections outside the VPN communicate your real public IP address and [aren’t] encrypted. They are also vulnerable to ISP spying. … Outside the VPN, anything goes. … Not good. … It is surprising to find this problem has persisted for so long. My testing took very little hardware, software or expertise.

Apple has a level of trust that they do not deserve. … I emailed Apple … on May 19, 2022 and, for a week, there was no response. On May 26th, I emailed again and … since then, there have been a number of emails between myself and the company. [But] roughly five weeks later, Apple has said virtually nothing to me. They have not said whether they tried to re-create the problem … whether they agree on this being a bug [nor] said anything about a fix.

HOW long? Longer than you might think, xxray expects:

I remember this getting reported on a couple years ago, and never getting an update. I just assumed it had been fixed.

I’m so glad my privacy has been compromised for the last 2.5 years. And still is being compromised while Apple knows about it and does nothing.

Wait. Pause. Are we sure this is really a bug? What if we don’t want existing connections to break? RatherBeAnonymous is rather sure:

It’s a bug. … Anyone paying for a VPN service is intending to protect all of their traffic.

What if you are on a network with a compromised router or DNS server actively performing man-in-the-middle attacks? It absolutely should break active connections because they could be active attacks.

Yes, but … Xenoveritas interrupts you there:

An app has to expect their existing connections to all suddenly drop. For example, when you leave your house and drop off your wifi and transition to cellular data – all the existing wifi connections need to be dropped and new ones need to be established over the cellular connection.

As far as apps are concerned, having their connections all drop and then resume via VPN should be the same as having them drop because wifi is no longer available and having to resume them on cellular.

Isn’t privacy supposed to be the Apple USP? jollyboyspecial swearily scoffs:

******. It’s VPN 101 that the data should be encrypted.

Apple are always banging on about being secure by default and other such nonsense. My ****! Not only could they not get the basics of VPN security right to start with but they can’t even be ****d to fix it when they do get it wrong.

But how a big a deal is this, really? Depends where you live, says buraktamturk:

For example, connection to Signal and Kakaotalk servers is used as an evidence of being a member of a terror organisation (!) in Turkey. Evidence is gathered by Ministry of Communications from the ISPs, whom they have to provide real-time connection data to the State. With a VPN, it is almost impossible.

Turkey? Oh come on. This is ’Murica. arkitect scoffs at your complacency:

Lives are put at risk. … Reporters or activists or ordinary sane people think it’s all OK until that 4:00am knock on the door.

Like alcoholics, the first step is acknowledging there is a problem. But as we know that is never Apple’s way of doing things.

Meanwhile, Santa from Exeter comes down your chimney:

Typical Apple. Lull the Public into believing their “Apple is more secure than X” ****ola, and all the while leaking like a sieve.

And Finally:

I mean, perhaps you are watching it, but I’m not

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Mike Deerkoski (cc:by; leveled and cropped)

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 711 posts and counting.See all posts by richi