Security researcher Michael Horowitz reported issues with iOS VPN implementation that allows some data to be sent via unsecured connection even when VPN is enabled and running.

As soon as you activate a VPN app, it should immediately close down all existing (non-secure) data connections, and then re-open them inside the secure ‘tunnel.’ This is an absolutely standard feature of any VPN service.

The problem, says Horowitz, is that iOS doesn’t allow VPN apps to close all existing non-secure connections.

9to5Mac

Possible workaround could be using Airplane mode to disconnect all existing connections. This workaround worked in previous iOS versions but seems not to work in iOS 15.

Apple reported that since 2019 there is way of fixing this issue – includeAllNetworks property.

var includeAllNetworks: Bool { get set }

There is a report though that Proton company found that it was only partially effective. Insecure connections to some Apple services are still made even when this option is turned on.

Michael Horowitz: VPNs on iOS are a scam

References:

Recommendations

Developer:

Beware of VPN behavior. Protect communications even if VPN is expected.

QA engineer:

Check application behavior when VPN is started or stopped.

PM/DM:

Business as usual.

Leave a comment