Several cybersecurity researchers are (again) sounding the alarm about the cyberconfidentiality supposedly allowed by the use of a VPN on an iPhone.
Even if the VPN is active, information is leaking to other servers, and some of it is particularly sensitive.
Cyber-privacy and Apple, that’s two…
The problem may have been raised since version 13.3.1 of iOS in… March 2020, since then, nothing or almost nothing has changed. Despite the recent launch of iOS 16, Canadian cybersecurity researcher Tommy Mysk found that his (updated) iPhone was not just communicating with the server assigned by his VPN, even though it was enabled. In the video below available on his Twitter account, the cybersecurity researcher illustrates in 20 seconds how problematic this flaw is.
Normally, the VPN connection as established by Mysk should allow it to cut off all communications in progress with servers other than the one assigned by its provider, here ProtonVPN. However, this is not the case, since after about 30 seconds of video, Mysk notes that several applications are communicating through another server, different from that assigned by ProtonVPN.
However, the fault does not lie with the provider of the VPN solution, but with Apple. Another cybersecurity researcher quoted by 9TB5Mac, Michael Horowitz, found that the Apple brand does not allow VPN solution applications to cut off connections in progress while the server assignment is made. Yet this is the very essence of how a VPN works. This must, in normal times, subsequently reopen these same connections in an encrypted tunnel so that the information contained is not, for example, known to your Internet service provider or a hacker.
Android would do the same with Google
Horowitz and Mysk claim that key applications continue to communicate with other servers outside the encrypted tunnel, which is detrimental to the privacy of the data they contain. Plans, with travel information, Health, with health-related data, or even Wallet, which notably contains various tickets and credit cards, are concerned.
In total, this affects at least 8 applications, since 9TB5Mac also lists the App Store, Clips, Files, Find and Settings. And the worst is that Apple is not the only one to apply this. Mysk confirmed to 9TB5Mac that Google, with its Android operating system, was doing the same. ” […] Android communicates with Google services outside of an active VPN connection, even if the “Always on” and “Block non-VPN connections” options are enabled. I used a Google Pixel running Android 13. »
Tommy Mysk considers these actions on the part of Apple and Google to be deliberate, without it being possible, in fact, to officially know what these companies do with the data collected. Unofficially, however, the door is open.
Source : 9TB5Mac
4