Security researcher confirms ProtonVPNs findings that VPNs on iOS are broken and Apple is reluctant to fix the issue
VPNs made by 3rd party companies for iPhone and iPad constantly fail to securely route network traffic and according to Michael Horowitz, Apple has known about this for years.
Michael Horowitz has written extensively about VPN software for iOS devices and how they appear to work initially, but after some time, start leaking data.
“What ProtonVPN wrote about is a data leak, rather than a DNS leak. Connections that exist at the time the VPN tunnel is created, should be terminated and re-started so that they travel through the VPN tunnel. In iOS 13 and 14, this does not happen, at least not by default.”Michael Horowitz
Horowitz says he emailed Apple about this issue multiple times with no resolution in sight. Apple responded to Horowitz with “The behavior you are seeing is expected”, which on its face is a bit scary. Then Apple mentioned an API option that was introduced in iOS version 14 and pointed me to developer documentation at developer.apple.com:
- The new option is on/off flag that indicates whether iOS sends all data through the VPN tunnel, or not. So, clearly iOS 13 and earlier were the Wild Wild West for VPNs. When both ProtonVPN and Mullvad blogged about VPNs leaking, they were referring to iOS version 13.
- The flag is OFF by default. Interesting choice for a company that sells their stuff based on security and privacy.
- If the flag is ON, and the VPN connection dies, iOS drops all network traffic. A built in kill switch. Sounds great.
Apple suggested Horowitz ask their VPN providers if they are using this flag. The flag is documented in a section on the NEVPNProtocol which is described as having settings common to both IKEv2 and IPsec VPN configurations. For some additional perspective, this is what ProtonVPN wrote about iOS version 14 in October 2020:
“Although Apple has not fixed the VPN bypass problem directly on iOS 14…”Protonvpn
While Apple says this issue was fixed in iOS 14 and Proton says it is not. Proton then went on to say that iOS 14 has a ‘Kill Switch’, but they did not provide details. At the time, ProtonVPN expected that the ‘Kill Switch’ would block existing connections when a VPN was enabled.
“Recent testing has shown that while the kill switch capability Apple provided to developers with iOS 14 does in fact block additional network traffic, certain DNS queries from Apple services can still be sent from outside the VPN connection.”ProtonVPN
“Most of these connections are short-lived and eventually are re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel,” ProtonVPN says. “But if you use Proton VPN while connected to public WiFi, your sensitive traffic still cannot be monitored.”
Proton says that they have “raised this issue with Apple multiple times. Unfortunately, its fixes have been problematic. Apple has stated that their traffic being VPN-exempt is “expected”, and that “Always On VPN is only available on supervised devices enrolled in a mobile device management (MDM) solution”. Proton says that they are publicly calling on Apple to make a “fully secure online experience accessible to everyone, not just those who enroll in a proprietary remote device management framework designed for enterprises.”