Researcher Says iOS VPNs Leak Traffic and Apple Knows it
Computer security researcher Michael Horowitz has today revealed on his blog that iOS devices do not fully route all network traffic through VPNs, a potential security issue Apple has known about for years (via ArsTechnica).
Horowitz notes that while all third-party VPN apps seem to provide the device with a new IP address, DNS servers, and a tunnel for new traffic, any connections established before a VPN is activated do not terminate.
VPNs generally kill existing sessions before establishing a connection so they can be re-established inside the tunnel. But iOS VPNs can’t seem to do this, notes Horowitz.
“Data leaves the iOS device outside of the VPN tunnel,” Horowitz writes. “This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6.”
Meanwhile, privacy company Proton suggests a workaround that is “almost as effective” as manually closing all connections when starting a VPN.
Connect to a VPN server, turn on airplane mode, then turn it off. “Your other connections should also reconnect inside the VPN tunnel, though we cannot guarantee this 100%,” they say.
However, Horowitz suggests that iOS’s Airplane Mode functions are so confusing as to make this a non-answer.
Apple has not yet issued any comment regarding the matter.