It seems like Apple has been turning a blind eye to a not-so-small security flaw which has now been brought to the attention of users by a well-known security researcher. According to the reports of this researcher, a specific flaw has resulted in the iOS VPN apps being broken, and Apple has been aware of this for the past two and half years. Despite this, the tech giant hasn’t openly acknowledged the issue. The veracity of this report is strengthened by an earlier report by ProtonVPN which suggests the presence of a VPN vulnerability on iOS devices since perhaps iOS 13.3.1. The flaw is a big question mark on the safety of the data being sent through VPN and the reliability of iOS VPN apps. Read along to know more.
The What and Why
Ideally, a virtual private network or VPN is supposed to add a layer of protection to your data by sending your data in an encrypted form to a secure server. Initially, your data will be sent to your ISP or mobile data carrier when you connect to either a website or a server. This lets your ISP know who you are and the sites and services you have access to. Particularly while using public Wi-Fi hotspots, there is the added risk of man-in-the-middle attacks. And this is where the VPN comes in as a shield adding protection to your data by sending it in an encrypted form to a secure server. VPN ensures that your data is protected from an ISP or carrier. While using a VPN, all they will be able to discern is that you are using a VPN. It also ensures that the websites and serves have no access to your IP address, location, or similar data which can be used for identification.
A VPN doing its job perfectly is supposed to close down all existing data connections, and then reopen them in a secure tunnel. Apparently, the iOS VPN apps fall short of this as they do not allow the apps to shut down the existing connections. According to Michael Horowitz,
“VPNs on iOS are broken. At first, they appear to work fine. The iOS device gets a new public IP address and new DNS servers. Data is sent to the VPN server. But, over time, a detailed inspection of data leaving the iOS devices shows that the VPN tunnel leaks. Data leaves the iOS device outside of the VPN tunnel.”
The issue at hand is quite alarming given the fact that insecure connections can last for several minutes which means your data will be devoid of protection. This is worse in the case of Apple because with Apple’s push notification, the connections can last for several hours.