A prominent security expert and blogger said that iOS VPNs do not secure users’ data inside the VPN tunnel. Data leaks have allegedly occurred in the last two years because Apple knew about this but didn’t take action to fix the bug in the latest iOS versions.
This can come as a shock to users who want to protect their online privacy with one of the best iPhone VPN services. “VPNs on iOS are broken,” said Michael Horowitz in a blog post that has been updated since May 25.
Horowitz says he ran a total of four tests from his iPad, each time changing the iOS version (15.4.1, 15.5, and 15.6), VPN provider (tried with ProtonVPN, OVPN, and Windscribe), VPN protocol (IKEv2, WireGuard, and OpenVPN), and server network.
While the VPNs all appeared to be working at first, a deeper inspection revealed the same disappointing result: The software was breaching the devices’ IP address and other personal data. Horowitz concluded, “The data leaves the iOS device outside the VPN tunnel. This is a data leak, not a classic/legacy DNS leak.” In short, iOS VPNs seem unable to log out existing sessions before establishing a secure connection.
Unfortunately, this vulnerability affecting iOS VPNs is nothing new. Switzerland-based security firm Proton first reported this in 2020, claiming that the data leak started no later than iOS 13.3.
Two years and several iOS updates later, Apple has yet to fix this risky bug.
At the time of his initial report, Proton pointed out a few workarounds to the problem. These include enabling the Always On VPN option (Proton states this may not work with third-party apps), enabling the kill switch in your VPN app, and/or using Airplane Mode to terminate all your current connections.
However, Horowitz says that when he tried them during his tests, neither the kill switch option nor the Airplane Mode method worked. “To date, roughly five weeks later, Apple hasn’t told me almost anything,” he wrote on July 3, adding that it would be really easy for the tech giant to run the same test and investigate the matter: “At this point, trusting any VPN on iOS is I see no reason to. My suggestion would be to make the VPN connection using VPN client software on a router rather than an iOS device.”