People using a VPN on iPhones and iPads are not be as secure as they think. Security expert Michael Horowitz as well as several VPN providers have revealed issues that affect the integrity of iOS going back for years. It could very well be that VPNs are broken on iOS, ever since iOS 13 and maybe even before.
How VPNs Work
Before we get into the details of these claims, let’s very quickly go over how VPNs work. If you already know, you can skip this bit to get to the juicy part, but if you’re new to VPNs, you may want to take the time.
When you connect to the internet, you’re sending information from your computer—let’s assume WiFi for the sake of argument—to a server run by your internet service provider (ISP). From there, you connect to the site you want, in this case, our website’s server. In this scenario, your ISP knows which site you connected to, and the site knows your IP address and thus where you connected from.
In short, a VPN reroutes your connection. From your ISP’s server, it goes to a server run by your VPN, and from there to the site you want. This makes it so the site you connected to can no longer track you back, when it tries to find out where you’re connected from, all it gets back is the IP address of the VPN server.
On top of that, the VPN also encrypts the connection between your computer and the VPN server in what’s called a VPN tunnel. This means that your ISP no longer knows what you’re doing either, as well as making it a lot harder for anybody to find out what you’re doing should they intercept your connection.
VPNs and iOS
However, according to cybersecurity researcher Michael Horowitz—who said “retired computer nerd” would be more accurate in an email to How-To Geek —iOS users aren’t afforded the full force of this protection. As he explains in detail in his blog post, when an iPhone or iPad user engages their VPN while a connection is still active, not all of the data being transferred through the connection will stay in the tunnel.
Horowitz did most of his testing on an iPad, which runs on iPadOS, a slightly different version of iOS which runs iPhones. However, they can be considered identical for the sake of these tests.
In this case, you can think of the VPN connection less like a tunnel and more like a hose. When a VPN does its job, all the water being poured through comes out on the other side. However, with this iOS issue, some of the water is coming out of the hose in transit—hence the use of the word “leak.” These leaks are caused by an issue in iOS and are not due to any problems with the VPNs themselves.
Also, it should be noted what is being leaked is encrypted data, not, as you may expect, IP addresses or other DNS issues. The result is that iOS users that run into this issue probably still can’t be tracked, the VPN is still doing its job in that sense. Since it’s encrypted, the leaked data is also not at particular risk, thankfully. However, that doesn’t mean it’s not a pretty serious flaw.
Dropping the Ball
It’s not just a problem because of technical reasons: As Horowitz himself notes, Proton, developers of ProtonVPN, first pointed it out in March 2020, more than two years ago. When Proton reached out to Apple about this problem back then, the company was told it was “expected.”
As Horowitz found out through further testing, Apple has not fixed it in any iteration of iOS since. When Horowitz reached out to Apple himself, he got more or less the same reply ProtonVPN did and was told things were “working as designed.” This seems odd, especially as the leak is proven beyond a doubt.
Not that Apple did nothing: Apparently, since iOS 14, there’s a switch that iOS developers need to turn on in their code to make this problem go away. However, according to the developers Horowitz spoke to, there’s an issue that it only works with some VPN protocols—the set of rules that determine how VPNs talk to other machines—not all of them. Some of the more popular protocols apparently won’t work with this flag, including OpenVPN and WireGuard.
Possible Fixes for Leaking iOS VPNs
However, for the short term, there seems to be another fix, which was discovered by VPN provider Mullvad a few years ago. It involves connecting to the VPN as normal, then enabling airplane mode, turning off Wi-Fi and then disabling airplane mode again. Horowitz, for his part, claims it doesn’t always work, however, so you may not want to risk it.
Another option is to use a VPN that will kill any open connections on startup. The only one that seems to be able to do that now is Windscribe—you need to check “Kill TCP sockets after connection” in settings—but we have no doubt others will follow now that the word is out.
For now, though, the only thing you can do is, as Horowitz recommends, connect your Apple mobile devices through a VPN router. This way, your whole network is using the VPN at the same time, and thus the separate iPhones and iPads can’t leak anymore . Note, though, that if you do this you may want to disable mobile data so you can’t fall back on that should your router fail, for whatever reason.
All this is pretty bad, but this may not be the end of it. Horowitz is expecting even more iOS issues to arise from further testing. For one, there’s an issue that was flagged by security researcher Matt Volante in 2018 and again by tracking protection app Disconnect in 2022. In these cases, it appears developers can choose to have their iOS apps circumvent the VPN tunnel.
If this is the case, this is a huge deal for all iPhone users, but especially those in countries where the internet is censored. As Disconnect points out, most Russian apps have to be approved by the Russian government, meaning that there’s a good chance those apps will make use of this loophole.
Did Apple Break VPNs?
Right now, the only thing that seems clear is that we’ve only discovered the first few feet of the rabbit hole. Apple seems to have made a bit of a mess of VPN security, which we guess can happen, but doesn’t seem to have assigned particularly high priority to fixing these problems. At the time of writing, we don’t know if this issue still exists in the just-released iOS 16, but considering Apple’s lack of a reaction so far, we’re not holding our breath that it was fixed.
While you could argue that there’s no real problem because users’ data is not at risk, it does feel a little sloppy, especially coming from a company like Apple, which likes to proclaim how security and privacy conscious it is. Though it’s up to individual consumers to decide how this will affect their relationship with the company, it does feel like Apple has dropped a ball and not picked it up here.