In a continuation of the saga of iOS VPN apps not being as secure as users might think, Apple insists it offered a fix for the issue years ago. Developers of third-party VPN apps, such as ProtonVPN, say this isn’t the case. The resolution Apple offered to address VPN app security concerns, they claim, is only a partial solution that needs to be done better.
The Trouble With VPN App Security on iPhone
One of the biggest hurdles third-party VPN apps have under iOS is that they aren’t allowed to close network connections. Because of this, persistent connections sometimes remain outside the VPN tunnel. This means that while you might think all of your network traffic is going through your VPN provider, it really isn’t.
For some reason, iOS is prone to keep certain connections alive much longer than it should. For example, connections to Apple’s servers used for push notifications might remain active for hours, rather than minutes. As a result, those connections keep using their insecure route rather than closing and reopening through the VPN.
Even if a connection only remained open for, say, 5 minutes, this could cause problems. Quite often, a user will connect to their VPN right before beginning to do work they want the security for. ProtonVPN discovered this in 2020, under iOS 13.3.1, and let Apple know.
Apple’s Fix for Plugging VPN Leaks
In 2019, during WWDC, Apple announced what seemed to be a way for VPN app developers to solve the issue. The Cupertino-based tech giant added a new API that would cause the system to drop traffic if it’s not connected through the VPN for some reason.
Proton says it’s aware of the reported fix, and tested it when it first became available (via 9to5Mac). However, according to Proton’s testing, the new API only proved partially effective. Insecure connections to some Apple services stay active, even when using that API, after the VPN is activated.
What’s more, the API in question is disabled by default. It’s not clear why that’s the case/ It’s also not clear why VPN apps aren’t using it, other than the fact that they may not want to rely upon the false hope that it’s actually doing what it is supposed to do.
When Apple decided not to offer a more complete fix for the trouble, that’s when Proton took the issue public. Proton founder and CEP Andy Yen isn’t happy about the lack of further action, but doesn’t see the situation changing anytime soon.
The fact that this is still an issue is disappointing to say the least. We first notified Apple privately of this issue two years ago. Apple declined to fix the issue, which is why we disclosed the vulnerability to protect the public. Millions of people’s security is in Apple’s hands, they are the only ones who can fix the issue, but given the lack of action for the past two years, we are not very optimistic Apple will do the right thing.
I guess the moral of the story is this. If you truly want all of your connections to route through your VPN app, that desire might go unfulfilled. You could switch on Airplane mode, making sure both Wi-Fi and Bluetooth are disconnected. After a few seconds, turn Airplane mode back off.
In theory, all of your traffic from that point should route through your VPN tunnel, unless it initiates its connection before the VPN tunnel comes back alive. Unfortunately, even that’s not guaranteed.
Serious question: does this mean the user would have to turn Airplane mode off and quickly before and after each VPN session?
Unfortunately, that’s exactly what it means. Even then, you cannot be 100% certain all of your traffic gets routed through the VPN tunnel.
Well, let me clarify. Before each VPN session, but not after.