Via the VPN, all your data traffic is routed through an encrypted virtual tunnel. This hides your IP address when you use the Internet, making its location invisible to anyone. Here is the theory. At Apple, it’s different according to a security researcher who reveals a real security problem.
We’ve told you enough about VPNs for you to know how they work. However, a reminder is always worth taking: a VPN connection establishes a secure connection between you and the Internet. Via the VPN, all your data traffic is routed through an encrypted virtual tunnel. This hides your IP address when you use the Internet, making its location invisible to anyone. Here is the theory. At Apple, it’s different.
A critical security flaw on iOS
Security blogger and researcher Michael Horowitz says Apple’s iOS devices don’t route all network traffic entirely through VPNs as a user might expect. To perform his test, he simply activated a VPN on his iPad and connected it to a router.
From the router, he listened and observed the data traffic. Initially, the VPN seems to work well: it assigns a new IP address with associated DNS servers. However, we observe that some of the data is only routed through the VPN traffic tunnel. In other words: the VPN is ineffective.
It’s not a classic DNS leak, it’s a data leak. I confirmed this using several types of VPNs and software from several VPN providers. The latest version of iOS that I tested is 15.6.
The security issue has been known for years. One of the VPN providers, Proton, previously reported this vulnerability present at least since iOS 13.3.1.
Most connections do go through the tunnel established by the VPN, but some, like Apple’s push notification service, do not. This data can be unencrypted, moreover, it exposes the real IP address of the user.
So it’s not a problem if you’re using a VPN to bypass a geo-blocking of SVoD services, for example, but it’s a security concern if a VPN is needed in countries where surveillance and civil rights violations are common.
Kill Switch is ineffective
Apple delivered new tools on iOS 14, with the Kill Switch capability featured in most VPNs. By activating Kill Switch, existing connections are theoretically blocked whenever the VPN is activated. However, this is not the case as shown by Michael Horowitz.
It’s amazing that Apple doesn’t fix this behavior when you know how important privacy is to them. Since 2019, Apple has chosen to focus its communication on confidentiality, ” what happens on your iPhone stays on your iPhone “.
Several campaigns followed, on TV, on bus shelter displays, but also on the internet, in particular duringkey notesfrom Apple. The question of the protection of our data has gradually become a criterion in the act of consumer purchase. It is therefore surprising to see Apple not providing an effective solution to this problem identified for several years.
To follow us, we invite you to download our Android and iOS application. You can read our articles, files, and watch our latest YouTube videos.