iOS VPN apps are broken, says security researcher

A well-known security researcher says that iOS VPN apps (virtual private networks) are broken, due to a flaw that he claims Apple has known about for at least two and a half years.

This backs a previous report by ProtonVPN that a VPN vulnerability has been present on iOS devices since at least iOS 13.3.1, and that there is no 100% reliable way of ensuring that your data is being sent via the VPN.

Michael Horowitz’s actual words are a little blunter than our headline. His blog post about the issue is titled “VPNs on iOS are a scam.”

How VPNs (are supposed to) work
Normally, when you connect to a website or other server, your data is first sent to your ISP or mobile data carrier. They then forward it to the remote server. That means that your ISP can see who you are and which sites and services you are accessing.

When using public Wi-Fi hotspots, you’re also at risk from what are known as man-in-the-middle (MITM) attacks. This is when a bad actor creates a Wi-Fi hotspot that mimics a genuine one, but which routes all traffic through their system first, letting them log all of your data. This is easy to do, and can be as simple as plugging a power-brick-size device into a coffee shop power outlet.

A VPN instead sends your data in encrypted form to a secure server. Your data is protected from an ISP, carrier, or hotspot operator. All they can see is that you are using a VPN. The usual analogy is it’s like using a secret tunnel from your device to the VPN server.

Similarly, the websites and servers you are accessing don’t get access to your IP address, location, or other identifying data – your traffic appears instead to be originating from the VPN server.

Why iOS VPN apps are broken
As soon as you activate a VPN app, it should immediately close down all existing (non-secure) data connections, and then reopen them inside the secure “tunnel.” This is an absolutely standard feature of any VPN service.

The problem, says Horowitz, is that iOS doesn’t allow VPN apps to close all existing non-secure connections.

This is a big deal because existing insecure connections can last for several minutes at a time, meaning that if you switch on your VPN in order to do something confidential, the first things you do may not be protected.

It gets worse in the case of Apple’s push notifications, as those connections can remain open for hours, not minutes.

Later in the year, the company added an update to say that Apple still hadn’t fixed the problem, but was providing app developers with the ability to add a manual “kill switch” feature, which would close all data connections on request. The company said it would be adding this, but then ceased updating the post in October 2020.

Horowitz’s lengthy post describes how he identified the problem as an iOS one, by using multiple devices and multiple VPN apps. He also said that when he notified Apple, the company initially engaged with him, but later went silent.

Is there a workaround?
Proton suggested switching on Airplane Mode, then switching it off, but says it cannot guarantee this will work. Horowitz tested it and found that it used to work, back on iOS 12.5.5, but does not do so in iOS 15.

I would expect that rebooting the phone would work, but Horowitz doesn’t appear to have specifically tested this.

He instead says that for now the only option is to connect to a secure router, with built-in VPN – but this doesn’t help with mobile connections, which is when you’re most likely to need a VPN.

We’ve reached out to Apple, and will update with any response. 9To5Mac