If you look at a business person’s iPhone, you’ll see a little VPN icon in its status bar. A VPN is a Virtual Private Network, like a secure pipe that protects your data as it travels. This tunnel secures a connection to a corporate network, it may hide the content and destination of web traffic and messages for dissidents in hostile regimes, or it may just be a way to get American Netflix from outside the US. But security researcher Michael Horowitz has discovered that on iOS, these VPN pipes leak like the water pipes in a cheap New York hotel. “A VPN encrypts the traffic between any iOS device and the internet, and it also hides your device’s IP address, making you invisible to the websites you visit,” Hamza Hayat Khan of Ivacy VPN told Lifewire via email. “An operating system is supposed to close all existing internet connections and then establish them again through the secured VPN tunnel. That’s how all the traffic would pass without being seen. But in the case of iOS, it doesn’t end and restart all the existing connections.”
VPNs Are Broken
The idea of a VPN is that it routes 100% of your internet connections, encrypting them and obscuring them from any observers. They not only hide the actual data being sent and received, but they can also hide your location. Nobody can see anything along the way. Not your ISP, nobody. That’s what makes them ideal for keeping corporate data safe when accessed by remote workers and for staying safe if you are worried about your government harming you. The important part here is the ‘100%’ part. VPNs are only useful if they route everything. Otherwise, why bother? “VPNs on iOS are broken. At first, they appear to work fine,” Horowitz writes his blog post. “But, over time, a detailed inspection of data leaving the iOS device shows that the VPN tunnel leaks. Data leaves the iOS device outside of the VPN tunnel.” The problem isn’t limited to one vendor or service. Horowitz tested this on multiple services and found the same problem. The leak is in iOS itself, and it’s not new. Proton VPN first reported the leak in March 2020. In answer to Proton’s concerns, Apple added a “kill switch” that is supposed to block any internet traffic outside the VPN. This, says Proton, kind of works but still allows some data to leak.
Dangers
What does this mean for you, the VPN user? Well, it depends on what you use it for. If all you’re doing is using a VPN to stream video from another country, then no problem. You have nothing to lose if data leaks, other than Netflix or whoever, seeing where you really are. If that happens, you just quit the app and reconnect. Likewise, if you are using the VPN to protect your data in transit, when connecting to a corporate network, then you may also be ok. Proton says, “if you use Proton VPN while connected to public WiFi, your sensitive traffic still cannot be monitored.” The problem here is one of trust. A VPN has one job; if it cannot do that job, how can you trust it? One option is that you might reconsider using an iOS device altogether. According to Proton’s updated blog post, the data that leaks through the kill switch is “DNS queries from Apple services.” That could be enough to pinpoint you on a map using your IP address.
Self Protection
“The only way to protect yourself from these leaks is to not use VPN apps or firewalls on your iOS device,” data scientist Apurv Sibal told Lifewire via email. “iOS users can still use VPN apps to protect themselves from ads and trackers.” VPNs are always difficult. You really have to vet them well because they are routing everything that leaves and enters your phone/computer. If you choose the wrong one, it could be worse than not using one at all. “However, it is important to note that not all VPN apps are created equal,” says Sibal. “Some VPN apps may sell your data to third parties or may not encrypt your traffic, which could put your privacy at risk. When choosing a VPN app, be sure to do your research and select an app from a reputable provider.”
