Most iOS VPNs Leak Data

In a worrying development, multiple security-interested researchers have suggested that most VPNs on iOS leak data by not terminating and re-establishing existing connections set up prior to VPN tunnel initiation.

The problem was made public in March 2020 and reported to Apple over two years ago. At the time of writing (August 2022), no fix for the issue has been released by Apple. Apple declined to comment on the issue when contacted by IT news site The Register.

There are two known workarounds. The first appears to be to connect to the VPN, turn Airplane mode on, wait, and then turn it off again. 

The second is to use Apple's Always-on-VPN feature, though this is extremely fiddly to set up if you don't have mobile device management tools. 

The fault is serious for two reasons: 

Apple users that rely on VPNs have been given a false sense of security. Many iPhone users and iPad users will quite reasonably assume that their traffic is being routed via their VPN when they are connected to a VPN.

Secondly, Apple has had over two years to fix the problem, yet has chosen not to do so.

Problem, What Problem?

A few exceptions aside, VPN technology providers have kept quiet about iOS's VPN problem.

A major reason is that it is commercial suicide for VPN providers in western markets not to support the 45% of potential users who have Apple devices.

VPN providers can't really be expected to tell almost half their potential users that their security has been reduced by a flaw Apple is unwilling to fix or even acknowledge.

Apple famously said in its developer guidelines: "If you run to the press and trash us, it never helps [you get your app approved]." Most VPN technology providers have decided their best course of action is to say nothing in public about Apple's security flaws.

It may be some time until the mainstream press picks up on the VPN problem and embarrasses Apple into fixing it.

Better Than Nothing

Standard VPNs on iOS still have value, even if users don't have Always-on-VPN set up. That's because VPNs encrypt a lot of traffic sent to and from the device, even if not all the traffic.

Much of the traffic that leaks outside the VPN will already be encrypted.

There's a risk that Adversary-in-the-Middle attacks and unauthorised monitoring, but at least that only applies to a small portion of traffic.

Protect Your Hybrid Workers' Traffic

If you'd like to increase the protection of your employees data streams, hSo's SSL VPNs can help.