Computer security researcher Michael Horowitz has today revealed on his blog that iOS devices do not fully route all network traffic through VPNs, a potential security issue Apple has known about for years (via ArsTechnica).
Horowitz notes that while all third-party VPN apps seem to provide the device with a new IP address, DNS servers, and a tunnel for new traffic, any connections established before a VPN is activated do not terminate.
VPNs generally kill existing sessions before establishing a connection so they can be re-established inside the tunnel. But iOS VPNs can’t seem to do this, notes Horowitz.
“Data leaves the iOS device outside of the VPN tunnel,” Horowitz writes. “This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6.”
Meanwhile, privacy company Proton suggests a workaround that is “almost as effective” as manually closing all connections when starting a VPN.
Connect to a VPN server, turn on airplane mode, then turn it off. “Your other connections should also reconnect inside the VPN tunnel, though we cannot guarantee this 100%,” they say.
However, Horowitz suggests that iOS’s Airplane Mode functions are so confusing as to make this a non-answer.
Apple has not yet issued any comment regarding the matter.
