A few years ago, engineers at Proton Technologies, the company behind ProtonMail and ProtonVPN, talked about a bug in iOS 13.3.1 that prevents VPN apps from encrypting all traffic. As information security experts now report, the problem has not yet been fixed.
In 2020, Proton Technologies experts explained that when using a VPN, the operating system must close all existing Internet connections and restore them through an already VPN tunnel to protect the user’s privacy and data. However, iOS for some reason can’t keep up with closing existing connections, leaving the traffic insecure as a result. For example, new Internet connections will connect through the VPN tunnel, but connections that were already active when the user connected to the VPN server will remain outside the tunnel.
Although insecure connections are becoming less common, the main problem is that the user’s IP address and the IP address of the server to which he connects remain open, and the server “sees” the user’s real IP address instead of the VPN server’s IP address.
As The Register now writes, Proton Technologies researchers continued to wait for the release of the patch for a very long time. From time to time, specialists have updated their report to report that there is still no fix, although Apple is aware of the problem. So, until recently, the last update in the text was dated October 19, 2020, and it reported that the vulnerability had not been finally fixed in iOS 13.4, 13.5, 13.6, 13.7 and 14.
Earlier this year, cybersecurity researcher and developer Michael Horowitz re-examined this situation and found that iOS VPNs still don’t work correctly and cause data leaks.
“iOS VPNs don’t work,” Horowitz wrote in early August in a post titled “iOS VPNs are a scam.” “At first they seem to be working fine. The iOS device gets a new public IP address and new DNS servers. Data pe sent to the VPN server. But over time, a detailed check of the data leaving the device shows that the VPN tunnel is leaking. The data does not leave the iOS device through the VPN tunnel. This is not a normal DNS leak, this is a data leak.”
Horowitz writes that back in May 2022, he sent an email to Apple announcing this leak. In July, he said that he exchanged several letters with the company, but this did not give any result:
“To date, about five weeks later, Apple has said virtually nothing to me. They didn’t say if they tried to recreate the problem. They didn’t say if they agreed it was a vulnerability. They didn’t say anything about a fix.”
In addition, at the end of last week, on August 18, 2022, Proton Technologies experts updated their old report again. They report that the kill switch feature that Apple introduced to developers with the release of iOS 14 does block additional network traffic, but “some DNS requests from Apple services can still be sent outside of a VPN connection.”