Security researcher says: "VPNs on iOS are broken" – and Apple knows

---

TL;DR

• A security researcher has been analyzing Apple's VPN service since May 2022.
• At first, VPNs on iOS work properly, but long-term use of the service has proven flawed.
• This is a data leak, and the first mention of this problem was made by ProtonVPN in March 2020.
• As a consequence, those who rely on VPN services on iOS would supposedly be exposed, as there is no way to ensure that data is actually being sent over a secured network.

---

In an ongoing post on his blog, Horowitz has been studying Apple's VPN service since May 2022. He confirmed the problems involving these services using various types of VPNs and software from several VPN providers. The latest version of iOS he used him was v15.6. However, this same data leak has been known since March 2020, when ProtonVPN first made the problems public.

Normally, when a user connects to a VPN, the operating system closes all existing Internet connections and then re-establishes them through the VPN tunnel. In general terms, a VPN encrypts your data and redirects it through one or more servers. As you can read in our guide on VPNs, it usually is a good way to browse the web anonymously. To ensure your privacy, all data should be routed through the secured connection. 

As mentioned by my colleague Rubens Eishima in our VPN comparison, this type of service is used to bypass censorship systems of governments, totalitarian or not, or even geo-restricted resources, such as those applied by content providers in the form of streaming services.

So what exactly is iOS doing wrong while establishing VPN-connections? Horowitz states, that connections work properly at first, i.e. the iPhone or iPad gets a new public IP address and new DNS servers and the data is sent to the VPN server. However, over time, close inspection of the data coming out of these iOS devices has shown that the VPN tunnel leaks. Which means we have a data leak and therefore a breach of your privacy.

In response to ProtonVPN, Apple indicated that it would add the Kill Switch feature to a future iOS update (at the time running version 13). This would allow developers to block all existing connections if a VPN-connection is lost. However, it is clear from Horowitz's survey results that this either didn't happen or doesn't work as of now.

Finally, ProtonVPN suggests that enabling the VPN and then turning the device's Airplane mode on and off to force all network traffic to be re-established through the VPN tunnel could work as a solution to the problem. However, the security firm admits that this is not foolproof.

For Horowitz this should not be considered a solution, given that Airplane mode is not reliable in itself. As of this writing, Apple has not yet commented on the matter.

Personally, I do not use a VPN on my iPhone. However, Horowitz's statements are a big wake-up call for activists who are entrusting their privacy and anonymity to these types of services in combination with Apple's iOS. Furthermore, people who use VPNs on iOS to explore streaming services in other regions could likely have their accounts banned as a consequence of possible data leakage.

Do you use any kind of VPN on your iPhone or iPad? How do you view the security researcher's claims? Share your opinion in the comments section below.

Via: 9to5mac Source: Michael Horowitz