meta
According to a researcher, VPNs on iOS are leaking user data as a result of a problem that was initially discreetly reported to Apple roughly two years ago. According to the problem, an iOS device cannot fully route all network traffic through VPN programmes as it should be able to, and some data leaves the device outside of the VPN tunnel due to an unpatched security vulnerability. ProtonVPN originally alerted Apple about this bug in 2020; however, the researcher claims that Cupertino-based Apple hasn't yet patched the issue.
According to a blog post by researcher Michael Horowitz, VPN apps on iOS first seem to function properly since "the iOS device gets a new public IP address and new DNS servers" as they should. The researcher claims that although the data is transferred to the VPN server, a careful examination of the data leaving the iOS device reveals that the VPN tunnel leaks. The iOS device's data is sent outside of the VPN connection. This is a data leak, not a traditional or legacy DNS breach, Horowitz continued.
Traffic is encrypted via a VPN. Once enabled, it will shut down any active Internet connections and re-establish them through the VPN tunnel, giving the device a new IP address, DNS servers, and a tunnel for new data. The iOS flaw prevents the operating system from concealing all active Internet connections and/or from not "leaking" data outside the VPN tunnel, which raises serious security issues.
Consider a scene from a movie where you are driving a red automobile and anyone can follow you on a helicopter in order to better comprehend. The chopper cannot see you as you enter a tunnel, and when you emerge, you are driving a white car that conceals your identity. However, if there is a weakness in that cloak that divulges the information, it might be possible for the trackers to recognise you. We have contacted Apple for comment, but they have not yet provided a statement on the matter.
The researcher also asserts that he used a variety of VPNs and software from several VPN providers to corroborate this data leak. On the most recent iOS version, he tested it (iOS 15.6). ProtonVPN made the first public complaint of the problem in 2020, and iPhone models were running iOS v13 at the time. According to a report, Apple has offered a solution to the issue but has not yet completely solved it.
Andy Yen, the founder and CEO of Proton, was quoted by Ars Technica as saying, "The fact that this is still a problem is, to put it mildly, frustrating. Two years ago, we quietly alerted Apple to this problem. We revealed the vulnerability to safeguard the public because Apple refuses to address the problem. The security of millions of individuals is in Apple's hands; they are the only ones who can resolve the problem, but considering their track record of inaction over the last two years, we don't have high hopes for them to act responsibly.