A security researcher back in August found a significant flaw in iOS VPN apps, and a second researcher has now demonstrated another major issue.
The first problem was that opening a VPN app should close all existing connections, but didn’t. The second is that many Apple apps send private data outside the VPN tunnel, including Health (above) and Wallet …
How iOS VPN apps (are supposed to) work
Normally, when you connect to a website or other server, your data is first sent to your ISP or mobile data carrier. They then forward it to the remote server. That means that your ISP can see who you are and which sites and services you are accessing – and also puts you at risk from fake Wi-Fi hotspots.
A VPN instead sends your data in encrypted form to a secure server. Your data is protected from an ISP, carrier, or hotspot operator. All they can see is that you are using a VPN. The usual analogy is it’s like using a secret tunnel from your device to the VPN server.
Similarly, the websites and servers you are accessing don’t get access to your IP address, location, or other identifying data – your traffic appears instead to be originating from the VPN server.
Flaw 1: Failing to close existing connections
As soon as you activate a VPN app, it should immediately close down all existing (non-secure) data connections, and then reopen them inside the secure “tunnel.” This is an absolutely standard feature of any VPN service.
However, Michael Horowitz found that not only did this not reliably happen, but that iOS doesn’t allow VPN apps to close all existing non-secure connections.
Flaw 2: Many Apple apps are excluded
Developer and security researcher Tommy Mysk read our coverage and was intrigued.
He ran his own tests, looking at which IP addresses were being accessed when a VPN was active, and found that many stock Apple apps ignored the VPN tunnel and instead communicated directly with Apple servers.
We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet.
This means that all the data sent to and from these servers is at risk from snooping by ISPs or hackers operating man-in-the-middle attacks, using easy-to-create fake Wi-Fi hotspots.
The apps that leaked data were:
- Apple Store
- Find My
Clearly most or all of the data handled by these apps could include extremely private information, ranging from health conditions to payment cards.
You can watch his test with Wireshark capturing the IP addresses accessed by the iPhone:
Mysk found that Android behaves in the same way with Google services.
I know what you’re asking yourself and the answer is YES. Android communicates with Google services outside an active VPN connection, even with the options “Always-on” and “Block Connections without VPN.” I used a Pixel phone running Android 13.
I asked Mysk whether he thought both companies were doing this intentionally, perhaps to prevent an app from redirecting traffic, or for performance reasons?
Yes, I think it is intentional. But the amount of traffic we saw was much more than expected. There are services on the iPhone that require frequent contact with Apple servers, such as Find My and Push Notifications. However, I don’t see an issue of tunneling this traffic in the VPN connection. The traffic is encrypted anyways.
If Apple has security concerns about VPN apps, he says that is easily addressable.
I think VPN apps should be treated as browsers and require a special approval and entitlement from Apple.
Performance – that is, Apple concerned about a VPN service slowing traffic – does not appear to be an issue, as push notifications use the VPN tunnel.
During the times of iOS 14 we carried out a similar experiment and found out that Push Notifications bypassed the VPN. It is no longer the case in iOS 16.
FTC: We use income earning auto affiliate links. More.
Check out 9to5Mac on YouTube for more Apple news: