According to various investigations, using a virtual private network (or VPN for short) on iOS devices caused a data breach that Apple has been aware of since at least 2020 but has not yet fixed.
A VPN is a technology that reroutes a device’s Internet traffic through a secure tunnel while encrypting your data and hiding its IP address. Among other benefits, users frequently use this alternative to safeguard their privacy from potential cyberattacks.
These VPNs’ dependability on iOS is in doubt. On its website, the investigator Michael Horowitz has made sure that the usage of these capabilities in the iPhone operating system is “within” a report.
At first, according to Horowitz, “they seem to operate well.” This suggests that a new IP address and DNS server are assigned to the iOS device. The user’s data then makes its way to the VPN server.
Yet, according to one researcher, “a comprehensive inspection” reveals leaks in the VPN’s encrypted tunnel. This is because the sessions and connections made on the device before the VPN was activated are still active and can still transmit data.
Horowitz stated that he has “several types of VPNs and software from numerous VPN providers” to support his assertion that there is a “data leak.”
The researcher made note of the fact that iOS 15.6 is the most recent version in which he examined a VPN’s dependability. In addition, he remembered that ProtonVPN had issued a warning regarding the similar data loss in March 2020.
According to its site, ProtonVPN discovered this breach in iOS version 13.3.1 at the time. Similar to Horowitz, the company emphasized that VPNs were unable to shut off previously launched sessions and then reopen them inside of their secure tunnel.
However, others, like Apple’s push notification service, could continue to transfer data “for minutes or hours” outside the VPN tunnel. The firm stated that the majority of sessions and connections “were re-established presumably within the VPN tunnel.”
Apple doesn’t offer solutions for end users.
Prior to making its findings public, ProtonVPN approached Apple with its concerns but received no response. Horowitz, for his part, notified the business at the end of May without receiving a response.
Later, the investigator made another attempt to speak with Apple, who admitted being aware of the issue on August 19.
The Cupertino-based tech company reminded Horowitz that the Mobile Device Management (MDM) option called “Always on VPN” enables an organization’s IT staff to mandate that all data on iOS devices remain on the corporate network. The end user cannot access MDM, though.
Apple also notes the iOS 14-introduced API option in their response. In this instance, only developers are permitted to utilize it, and end users are not included.