Security researcher Michael Horowitz reported issues with iOS VPN implementation that allows some data to be sent via unsecured connection even when VPN is enabled and running.
As soon as you activate a VPN app, it should immediately close down all existing (non-secure) data connections, and then re-open them inside the secure ‘tunnel.’ This is an absolutely standard feature of any VPN service.
The problem, says Horowitz, is that iOS doesn’t allow VPN apps to close all existing non-secure connections.
9to5Mac
Possible workaround could be using Airplane mode to disconnect all existing connections. This workaround worked in previous iOS versions but seems not to work in iOS 15.
Apple reported that since 2019 there is way of fixing this issue – includeAllNetworks property.
var includeAllNetworks: Bool { get set }There is a report though that Proton company found that it was only partially effective. Insecure connections to some Apple services are still made even when this option is turned on.
Michael Horowitz: VPNs on iOS are a scam
References:
- iOS VPN apps are broken, says security researcher, and Apple has known for years
- VPNs for iOS Are Broken and Apple Knows It, Says Security Researcher
- iOS VPNs Are Broken
- iPhone VPN app security debate continues, as Apple says it’s fixed, and ProtonVPN says not
Recommendations
Developer:
Beware of VPN behavior. Protect communications even if VPN is expected.QA engineer:
Check application behavior when VPN is started or stopped.PM/DM:
Business as usual.
You must log in to post a comment.