Following the discovery of one flaw in how iOS handles third-party VPN apps, a security researcher has demonstrated another shortcoming. In this case, the security expert has discovered that many Apple apps bypass the VPN tunnel altogether, including some that transfer highly sensitive data.
Apple Apps Defeat the Whole Purpose of VPN in iOS
When you connect your iPhone to a VPN service, there’s a pretty defined expectation of what should happen. Once iOS and the app have established the VPN tunnel, all of your data is supposed to pass through said tunnel. This way, your data is encrypted and safe from snooping bad actors.
In the first discovered flaw in how iOS handles third-party VPN apps, the operating system failed to close existing connections. This meant some apps would continue to use these older, non-encrypted network connections. Apple claimed it had resolved the issue, while many developers say it persists.
The plot thickens, though, as another developer and security researcher has discovered yet another iOS VPN flaw.
Tommy Mysk ran his own tests, closely examining which IP addresses were being accessed during a VPN session. What he found is very troubling. Many of Apple’s built-in apps bypass the VPN tunnel completely, communicating with Apple’s servers directly through the cellular data or Wi-Fi connection instead.
This means all of the data sent to and from Apple’s servers from these apps is wide open for snooping. Whether it’s a hacker sniffing your connection with fake Wi-Fi hotspots or just your ISP being nosy, your sensitive data is at risk.
Apple-Branded Apps Subject to New iOS VPN Flaw
There are quite a few stock iOS apps that are vulnerable to this VPN flaw. Several of them could be passing very sensitive information, such as credit card details or medical records, unencrypted to Apple’s servers. The apps Mysk found susceptible to the iOS VPN flaw include:
- Apple Store
- Clips
- Files
- Find My
- Health
- Maps
- Settings
- Wallet
Mysk demonstrated the problem in a video posted to Twitter.
We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet.
We used @ProtonVPN and #Wireshark. Details in the video:#CyberSecurity #Privacy pic.twitter.com/ReUmfa67ln— Mysk 🇨🇦🇩🇪 (@mysk_co) October 12, 2022
He added:
We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet.
Apple Should Treat VPN Apps as Browsers, Researcher Says
Mysk goes on to explain that he believes the flaw is an intentional one. Perhaps, he surmises, Apple does this for security or performance reasons. However, Mysk doesn’t see any reason for the traffic to bypass the VPN tunnel.
There are services on the iPhone that require frequent contact with Apple servers, such as Find My and Push Notifications. However, I don’t see an issue of tunneling this traffic in the VPN connection. The traffic is encrypted anyways.
Security concerns, he adds, are easily addressed. Mysk says VPN apps should be treated as browsers, requiring special approval and security entitlement from Apple. The researcher doubts Apple is bypassing the tunnel for performance reasons.
Push notifications, which bypassed the VPN under iOS 14, no longer do so. Under iOS 16, push notifications travel through the VPN tunnel. If Apple was concerned about the VPN slowing down traffic, he says, the notifications would not be using the tunnel.
Apple has not yet issued a statement on this newly-revealed iOS VPN flaw.