Third-party VPNs designed for iPhone and iPad routinely fail to route all network traffic through a secure tunnel after they’ve been turned on, something Apple has known for years, a longtime security researcher (via ArsTechnica).
Writing in a frequently updated blog post, Michael Horowitz says that after testing multiple types of VPN software on iOS devices, most seem to work fine at first, issuing the device with a new public IP address and new DNS servers, and Send data to the VPN server. However, over time, the VPN tunnel leaks data.
Normally, when a user connects to a VPN, the operating system shuts down all existing internet connections and then re-establishes them through the VPN tunnel. This is not what Horowitz noted in his router’s advanced registry. Instead, sessions and connections established before the VPN is turned on do not terminate as one would expect, and it can still send data outside the VPN tunnel while it is active, leaving it unencrypted and vulnerable to ISPs and other parties.
“Data leaves the iOS device outside the VPN tunnel,” Horowitz wrote. “This is not a classic/legacy DNS leak, this is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest iOS version I tested is 15.6.”
Horowitz claims that his findings are backed up by a similar report released in March 2020 by privacy firm Proton, which said an iOS VPN bypass vulnerability was identified in iOS 13.3.
According to Proton, Apple has indicated that it will add a Kill Switch functionality in a future software update that will allow developers to block all existing connections if the VPN tunnel is lost.
However, the added functionality does not appear to have affected the results of Horowitz’s tests, which were performed in May 2022 on iPadOS 15.4.1 using Proton’s VPN client, and the researcher says any suggestions for preventing data leaks are “off” base.
Horowitz recently continued its tests with iOS 15.5 installed and OpenVPN turned on for the WireGuard protocol, but his iPad continues to make requests outside the encrypted tunnel of both Apple and Amazon Web Services.
As noted before ArsTechnicaProton suggests a solution to the problem that involves activating the VPN and then turning Airplane mode on and off to force all network traffic through the VPN tunnel to be re-established.
However, Broughton admits that this is not guaranteed to work, while Horowitz claims that airplane mode is not in itself reliable, and should not be relied upon as a solution to the problem. We’ve reached out to Apple for comment on the research and will update this post if we hear back.