Many people use a VPN to bolster their online security. The expectation is that all internet traffic gets encrypted through the VPN. Unfortunately, a recent report says a long-time bug in iOS means your VPN isn’t nearly as secure as you think. Worse yet, Apple’s known about the issue for years and hasn’t addressed it.
How a VPN Should Work
Whenever you connect your device to a VPN, be it your MacBook or your iPhone, all of your traffic should be encrypted through the VPN tunnel. Any of your existing network connections should be closed, then re-opened through the VPN.
This happens to make sure all your network traffic is encrypted. While there are other uses for a VPN, such as making websites think you’re in a different place than you really are, the original purpose of VPN tunnels was security.
To reiterate, here’s what is supposed to happen when you connect your iPhone or iPad to a VPN service. Every network connection from your device should get routed through the VPN tunnel. This makes sure all of your incoming and outgoing data is encrypted and nobody can intercept and decipher it.
Bug Within iOS Causes VPN Tunnels to ‘Leak,’ Meaning They Aren’t Secure
In March 2020, ProtonVPN discovered a bug in iOS 13.3.1. Because of this bug, the device didn’t close and re-open all of its existing connections after connecting with a VPN. This means users would, without even realizing it, continue transmitting data over the same insecure connection they were using before turning on the VPN.
You read that right. ProtonVPN discovered the bug in 2020, and disclosed it to Apple and, eventually, the public. At the time, ProtonVPN explained the problem with iOS not terminating all existing internet connections.
Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel.
One example of these persistent connections is something we all know, have a love/hate relationship, but rely upon to keep up with what’s going on in our email and other communications. That’s right, Apple’s push notifications are an example of a process that fails to close its existing connection and re-open it through the VPN tunnel.
A Workaround, but Still No Fix
Apple acknowledged the issue in 2020, and said it was looking into ways to fully mitigate it. VPN apps can’t help, because iOS and iPadOS don’t allow third-party apps to kill existing network connections.
In the meantime, Apple suggested using Always-on VPN to mitigate the problem. That doesn’t work for third-party VPN apps, though, and it requires using a device management tool.
To help its users, ProtonVPN recommended turning Airplane Mode on, then back off, after connecting to its VPN service. At the same time, ProtonVPN noted this work around may not be 100% effective at closing and re-opening connections through the VPN.
Fast-forward to the present, and Apple still hasn’t fixed the bug. ProtonVPN stopped making any noise about it after offering its workaround, but independent computer consultant and blogger Michael Horowitz has taken up the issue.
Horowitz describes in a 7,500 word blog entry his own testing of the bug. With plenty of illustrations and examples, he demonstrates that even in iOS 15.6, the VPN bug persists. Horowitz also explains his failed tries to talk to Apple and even the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about the issue.
He’s gotten nowhere, so far. According to Horowitz, “the VPN still leaks on iOS version 15.6.” His recommendation is to bypass using VPN software on your iOS device altogether, instead using VPN client software within a router.
At this point, I see no reason to trust any VPN on iOS. My suggestion would be to make the VPN connection using VPN client software in a router, rather than on an iOS device.
I am not a fan of making a VPN connection on your only router, but suggest having a second router dedicated to VPN connections. When you need a VPN, connect to the second router (Wi-Fi or Ethernet), when you don’t need a VPN, connect to your main router.
Apple has not commented as of yet on the state of this bug, or if it is still actively exploring ways to solve it.