A researcher has claimed that VPNs on iOS are leaking user data because of a problem that was first disclosed privately to Apple. As to the problem, the unpatched security vulnerability does not allow an iOS handset to fully route all network traffic through the VPN app and some data leaves the device outside the VPN tunnel. The flaw was first disclosed to Apple by ProtonVPN in 2020, however, the researcher has said that the Cupertino-based company has yet to plug the vulnerability.
Researcher Michael Horowitz claimed blog post That VPN app on iOS works fine at first, i.e. “iOS device gets a new public IP address and new DNS server” the way it should. The data is sent to the VPN server but the researcher says a detailed inspection of the data leaving the iOS device shows that the VPN tunnel has leaked. “Data leaves the iOS device outside the VPN tunnel. This is not a classic/legacy DNS leak, it is a data leak,” Horowitz said.
A VPN is used to encrypt the traffic. Once enabled, it will give the device a new IP address, DNS server, and a tunnel for new traffic by shutting down the existing internet connection as well as re-establishing them through the VPN tunnel. However, a bug in iOS prevents the operating system from hiding all existing Internet connections and/or “leaking” data outside the VPN tunnel, raising some major security concerns.
To understand better, consider a movie-like scenario in which you’re driving a red car and someone can track you down by following you on a helicopter. When you enter a tunnel, the helicopter can’t see you from above and you come out driving a white car that acts as a cloak of your identity. But if there’s a flaw in the cloak that carries the information, it could allow trackers to recognize that it’s you. Apple has yet to issue a response on the issue, and we have reached out for comment.
The researcher also claims that he verified this data leak using multiple types of VPNs and software from multiple VPN providers. They tested it on the latest version of iOS (iOS 15.6). The issue was first reported publicly by ProtonVPN in 2020 and the iPhone model at the time was running iOS v13. according to a report goodApple hasn’t completely fixed the problem yet and is provided a solution For this.
Ars Technica cites Proton founder and CEO Andy Yen as sayingThe fact that this is still an issue is disappointing to say the least. We first informed Apple about this issue privately two years ago. Apple has stopped short of fixing the issue. Denied, which is why we exposed the vulnerability to the safety of the public. The security of millions is in the hands of Apple, they can fix the problem, but given the lack of action for the past two years, We’re not too optimistic that Apple will do the right thing.”