Well, if you have a malware app on your phone, you're owned anyway, even if it's a VPN.
In any case, I know my VPN vendors and it's not a concern for me...
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
VPNs for iOS Are Broken and Apple Knows It, Says Security Researcher
- Thread starter MacRumors
- Start date
- Sort by reaction score
In any case, I know my VPN vendors and it's not a concern for me...
Free or Paid VPN?
I use paid and I'm not seeing this on either iOS or Android.
Then again, I use as needed and not 100%...
Only paid (I don't trust free VPNs) - I've used NordVPN for the last handful of years. Last time I heavily used VPNs on my iPhone was around 2018 for work trips and I noticed heavy/very noticeable drain on my iPhone. So my info is a bit out of date. Ugh, I'm getting old.
Same - I use as needed instead of leaving it on all the time now and it's barely noticeable when I do that
.Thank you. That is written so much better and provides so much more background!
Me too, but that's a good thing, it means we're still alive.
No. I would consider it a bug in the OS if it didn't handle that scenario. And I would also think that Apple would figure out what it did and not allow it in the app store.
A VPN app (and/or the company running the VPN server) requires a higher level of trust: trust that the app encrypts your uploaded data and does nothing else, and trust that the server forwards the data after decrypting and does nothing else.
So, yes, you're gonna have to trust it. If you don't, you can't use that app.
Then you trust netfilter.
That’s a different use of a VPN than what most people think when you say VPN. You’re talking about VPN into to a corporate network. I have this on one of my work devices. Yes that definitely does have advantages in the corporate world but most people think of a VPN is the ones advertised as a subscription. If you’re really security conscious you can do the same thing they do in the corporate world and VPN to your home network but most people aren’t going to do that.Well, as a corporate guy I can tell you why I use a VPN. It's to mainly protect the corporate goodies, i.e., to not allow direct access to our servers from the internet. Every second of every day there are the script kiddies scanning everything they can scan, and the traffic is tremendous, almost a DoS type thing. I'm not that worried about them getting in, but I really don't even want them to see anything to keep them from the constant attempts.
It also protects the other side somewhat from TCP them having sensitive information just grabbed from whatever LAN they are on.
So it's more of a protection thing than a privacy thing. (and I control the VPN servers, so I don't have to worry about trusting a third party.
Most people don’t even understand the concept of a VPN much less if it’s working. They just see their favorite YouTube celeb selling it and think oh I need that. I had a family member tell me they got a VPN subscription. I asked why. They said oh it makes the Internet more secure so they can’t be tracked online. Yeah no not even close. What upsets me is I’ve seen some of the ads and they’re highly misleading. I think most of these companies are outside the US, UK and EU so they’re probably protected from any kind of false advertising litigation. If you’re someone who uses a VPN just because you don’t want to be tracked by your ISP you might want to look at who owns most of these VPN services. You might as well sign up for Facebook or Google VPN if there was such a thing 😂
True, but it's still a VPN and it works in the same way.
Most people wouldn't know how, but it's certainly doable. I don't most of the time, and I've only rarely used the consumer VPN's. I'm not that worried about my internet access though and I've never tried to obfuscate my location.
Just VPN, L2TP, PPTP, IPSec, and IKEv2, with support for passwords, certificates and Cisco's proprietary XAuth authentication.
Also, PPTP supports (horrible) encryption but is not a standard - it is a Microsoft invention.
OpenVPN uses their own proprietary security protocol based on TLS, rather than supporting standards (such as L2TP, IPSec or IKEv2).
Get OpenVPN to create a standard and commit to supporting it in a stable manner and I bet you'd see support in a lot of operating systems pretty quickly.
1.2.3.4 is not a private network.
VPN is a protocol to connect to private networks.
You are asking for iOS to treat all public internet resources (other than, presumably, the VPN server) as private network resources.
First… "VPN"??
Second, iOS supports L2TP and IKE. It also supports "IPSec", by which it means Cisco's VPN, which is IKE.
Did you just change your goalpost from "MOST standardized VPN protocols do not define encryption" to "sure, I can't name a single example of a VPN that doesn't define encryption, but I can name one whose two-decades-old encryption is poor by modern standards"? Impressive!
I have no idea why that's relevant, but yes.
OpenVPN is plenty good the way it is.
This isn't relevant.
First of all, "private network" only refers to get to assign IP addresses. And even then, nothing stops you from simply setting your own host to 1.2.3.4. You lose the ability to reach the "official" machine with that IP address, but that's all.
Second, while VPNs are often used to connect to private networks, they don't have to do that at all. A VPN for Apple employees will route you to the 17.* range, which isn't private at all.
And plenty of VPNs these days have nothing to do with specific routes and everything to do with tunneling all transferred data over a VPN server, whether it be for privacy reasons, or to pretend-change your physical location, or simply because your employer wants to control what data you transfer over your employer-issued device.
"VPN" is not a protocol, and VPNs have been used for other use cases than that basically since their inception a quarter century ago.
First, "private network resources" aren't really a thing. And second, iOS can do exactly that and has been doing that ever since it has supported VPNs in iPhoneOS 2.0.
Sorry, paste error. “VPN” = app supplied.
You said PPTP. PPTP is not a standard.
Assigning addresses and routes to publicly assigned 3rd party addresses as part of your own network is widely discouraged.
Private address ranges include 10.x.x.x and 192.168.x.x.
You can have addresses you control as part of your private network, sure. It is discouraged to have these be public as well.
There are privacy reasons not to support that. An employer with a private network should not be able to capture public internet traffic for a device you own, without your approval.
Apple has banned apps which do this, such as Facebook and Google apps (which were deployed with enterprise profiles to work around limitations) and many earlier parental monitoring apps.
VPN apps which self configure (e.g. without the use of enterprise profiles) have several documented limitations. The idea of enterprise profiles is that you have a strong relationship with that party and can hold them liable for abuses.
I also received a book decades ago called “101 uses for a dead cat”. Theoretical application of VPN technology does not make it a supported platform feature.
Apple has changed VPN capabilities several times since then, including adding application provided vpn functionality, including banning certain uses.
Please accept the possibility that changes are intentional.
I'll keep that in mind the next time you're my supervisor.
And 172.16/12. And still completely irrelevant.
By whom? And why? Are you implying Apple's security practices are bad?
That's a fine argument, but Apple is letting VPNs do exactly that, so it's not an argument relevant to this thread.
That's not why those apps were banned.
There's also nothing to ban. Step 1: make a VPN config that routes all traffic. Step 2: deploy it via MDM.
So your argument is now: Apple won't fix this, and in fact, Apple will remove the ability of VPNs to route all traffic altogether.
I see.
Not really. This will be dangerous to just trust one category of apps. Nothing stops a bad actor from creating an app pretending to be a VPN app.
IMHO the security model for a mobile device is very much different from a desktop computer. For a computer model, you trust the login account and assign the rights to the apps running under that accounts rights (e.g. root, users, etc.)
For a mobile devices, since there's no concept of user account, the model is basically to restrict apps' ability to do stuffs.
Seems like you don't know what is the Linux netfilter sub-system. I would say that it basically powers the Internet infrastructure. I can change the behaviour of how netfilter works as I have the source code and I can fix whatever I think is wrong (whether I'm right or otherwise) with it and test it out in my Internet router. It's low level networking code that implements Linux's firewall.
I fiddle with VPN codes as well (mainly OpenVPN, but a little of WireGuard), so I know a little about VPNs and how it works. My Internet routers are all setup with VPN servers so that I can reach back to my home networks to get back resources I stores at home. That is how IMHO VPNs should be use, protecting private resources.
Computer networking is a complicated subject. Modern network stacks have mutiple routing tables, and certain OS implementations requires certain predictability in terms of how data packet travels so that it does not affect the app layer functionalities. Implementing networking codes for one OS need ones to understand truly what the OS offers. Not all OSes behaves the same.
Besides, using a VPN service to access the Internet for security reason is not a good use of VPN IMHO. There's no security offered by the VPN service if the Internet resources you access are served in the clear. From the privacy aspect, it is also non-existent. You are just transfering your access pattern from your ISP to the VPN service provider. Once you go online, you leave a digital trail. Anyone determined enough to track you with the resources to do it will be able to.
All the complains in this thread seems like a tempest in a teapot.
Methinks there's a place for Apple to do for the VPN app market what they did with weather. We have private relay for Safari, and I also have the lockdown app installed on my phone (which blocks trackers on a device level). I feel that Apple could acquire a company like Lockdown and implement tracker blocking on a hardware level (ie: have the app preinstalled on every Apple device). This could also pave the way for an Apple VPN service and extend private relay to the entire device.
Perhaps the best way is to simply do it yourself.
Can you really be sure nothing establishes during boot before the VPN actually 'kicks in'?
I guess it would be okay but I don't think it would be any better than other VPN providers. My trust in Apple when it comes to privacy has eroded when they started on device scanning for CSAM. I hate CSAM but I don't think the answer is searching everyone's device without a reason or probable cause as we say in the USA. I like the idea of private relay but it causes me problems with my banking sites. Some won't let me log in and others constantly ask for 2FA. I don't think it gets around device fingerprinting so I'm not even sure it's worth it.
I could do a VPN to my home but I would need to do lots of research on that because I hear if done wrong it can be a security risk. If I'm not mistaken I would also need a static IP address so maybe not something I can get with a home internet plan. I know enough about networking to get me in trouble 🤣
If Apple is indeed messed up the api for vpn's they need to be sued (again) to fix this. I'm tired of hearing about Apple messing up this and that. Sue first, ask questions later.
I would really like Apple to implement the blocking concepts from Lockdown in the OS, with options in the Privacy settings. It amazes me that we can ask the OS to not allow tracking, but that many apps still do track even when that setting is turned off. The Privacy Report clearly shows this. I'm not sure if I should report these apps to Apple, and where. It appears that any app written in React has this behavior, although that is a guess.
And yet that is exactly how the App Store process works and always has. You ask for an additional entitlement (without it, you can't use the API), and App Review presumably applies extra scrutiny.
macOS's security model no longer looks like that. It relies heavily on mechanisms such as TCC and sandboxing, which apply even if you aren't root. The notion that a non-root app should feel free to muck around with your entire home directory was fine in the 1970s but isn't today.
iOS has root just like macOS does.
It's not relevant. Open-source VPN apps for iOS exist if that's your concern.
And Apple disagrees and offers broader use cases for VPNs.
I'm not sure why some of you keep arguing this since it's the entire premise of this article. If you think VPNs should only be for giving access to private resources, that's fine. Connect to the VPN, you get access. Disconnect, the routes get removed and existing connections won't work any more. This discussion is not about that.
There is a privacy aspect in that it obscures your original location.