Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
VPNs for iOS Are Broken and Apple Knows It, Says Security Researcher
- Thread starter MacRumors
- Start date
- Sort by reaction score
As do I.
I appreciate Apple’s privacy focused initiatives, but (much like a VPN) I don’t take all their claims at face value.
I also question how many programs can ignore rules of the device. Reddit app for example has cellular data use turned off. Without fail, I'm out in a parking lot or large park, and suddenly my watch could buzz a notification of a thread I might be interested in, including graphic. How? Check for wifi connections... None established. Everything secured in the area. Nothing I've ever attempted to connect to. Maybe I'll just leave wifi off when leaving the house to confirm behavior, but always disturbing.
All the government has to do is go to the VPN provider youre with and ask them to divulge what sites or things you’ve been looking at and they’ll do it, because if they don’t that company becomes insolvent rapidly. if you’re being investigated, there is a trail of everything irrespective of whether people say vpns don’t store anything or hide things from you.At my level of government I can even see what your doing on a VPN so I wouldn’t worry. VPN’s aren’t as secure as the common folks think…
Ah I’m just screwing with you, you can take your tin foil hat off
they are not ProtonVPN knows it broken and plus they need to make money
I assume they are lying about everything, because that is what marketers do. Apple is the most successful marketing company of all time, so it follows that...
I don’t trust Apple as far as I could throw them and have felt this way for a while. They talk a good game and position themselves as the paragon of security and privacy but I think it’s all hot air. Some of it probably straight-up deceit.
Whether this is an issue or not depends entirely on what you use a VPN for.
For example, if you use VPN to access your corporate network (which is how I use it), it doesn't matter if existing connections remain open. I'm connecting to the VPN, then accessing resources at work. My online radio station stream continuing to play directly is not an issue. Hell, on my Mac I have a script that runs to only use the VPN for traffic to work subnets, and a direct connection for everything else, because otherwise I'm wasting work's bandwidth for non-work tasks.
Now, if you're using a VPN for privacy, then this is a huge deal and leaving those connections open can expose information about you.
My suspicion is that Apple intended its VPN feature primarily for the former use case, connecting to a corporate network for work, and not for extreme privacy requirements. In either case, they'd do well adding a checkbox to disconnect all existing connections when turning on VPN.
For example, if you use VPN to access your corporate network (which is how I use it), it doesn't matter if existing connections remain open. I'm connecting to the VPN, then accessing resources at work. My online radio station stream continuing to play directly is not an issue. Hell, on my Mac I have a script that runs to only use the VPN for traffic to work subnets, and a direct connection for everything else, because otherwise I'm wasting work's bandwidth for non-work tasks.
Now, if you're using a VPN for privacy, then this is a huge deal and leaving those connections open can expose information about you.
My suspicion is that Apple intended its VPN feature primarily for the former use case, connecting to a corporate network for work, and not for extreme privacy requirements. In either case, they'd do well adding a checkbox to disconnect all existing connections when turning on VPN.
"potentially unencrypted"
yeah, sure. the regular TLS1.2 or TLS1.3 on all HTTPS or QUIC sessions, the same with SMTP/S and IMAP/S and DoH or APR is just not secure enough, right?
yeah, sure. the regular TLS1.2 or TLS1.3 on all HTTPS or QUIC sessions, the same with SMTP/S and IMAP/S and DoH or APR is just not secure enough, right?
Interesting article: https://arstechnica.com/information...ic-more-than-2-years-later-researcher-claims/
So the "leaked" traffic is existing connections that the VPN app doesn't terminate? The ArsTechnica article makes it seem like it is the app's fault for not re-routing/terminating them?
"Like Horowitz's post, ProtonVPN's blog noted that a VPN typically closes all existing connections and reopens them inside a VPN tunnel, but that didn't happen on iOS. Most existing connections will eventually end up inside the tunnel, but some, like Apple's push notification service, can last for hours."
"Horowitz tested ProtonVPN's app in mid-2022 on an iPad iOS 15.4.1 and found that it still allowed persistent, non-tunneled connections to Apple's push service. The Kill Switch function added to ProtonVPN, which describes its function as blocking all network traffic if the VPN tunnel is lost, did not prevent leaks, according to Horowitz."
"ProtonVPN had suggested a workaround that was "almost as effective" as manually closing all connections when starting a VPN: Connect to a VPN server, turn on airplane mode, then turn it off. "Your other connections should also reconnect inside the VPN tunnel, though we cannot guarantee this 100%," ProtonVPN wrote."
The title of the ArsTechnica article is: "iOS VPNS have leaked traffic for more than 2 years, researchers claim."
By all means, continue the frothing at the mouth Apple so horrible posts.... It's what Macrumors is all about these days.
So the "leaked" traffic is existing connections that the VPN app doesn't terminate? The ArsTechnica article makes it seem like it is the app's fault for not re-routing/terminating them?
"Like Horowitz's post, ProtonVPN's blog noted that a VPN typically closes all existing connections and reopens them inside a VPN tunnel, but that didn't happen on iOS. Most existing connections will eventually end up inside the tunnel, but some, like Apple's push notification service, can last for hours."
"Horowitz tested ProtonVPN's app in mid-2022 on an iPad iOS 15.4.1 and found that it still allowed persistent, non-tunneled connections to Apple's push service. The Kill Switch function added to ProtonVPN, which describes its function as blocking all network traffic if the VPN tunnel is lost, did not prevent leaks, according to Horowitz."
"ProtonVPN had suggested a workaround that was "almost as effective" as manually closing all connections when starting a VPN: Connect to a VPN server, turn on airplane mode, then turn it off. "Your other connections should also reconnect inside the VPN tunnel, though we cannot guarantee this 100%," ProtonVPN wrote."
The title of the ArsTechnica article is: "iOS VPNS have leaked traffic for more than 2 years, researchers claim."
By all means, continue the frothing at the mouth Apple so horrible posts.... It's what Macrumors is all about these days.
iCloud private relay is NOT a VPN. And proxy server doesn’t encrypt user data either.
Well, since the ArsTechnica article makes it seem like it's the VPN app's fault for causing this... are you saying ProtonVPN is pushing iCloud Private relay? I mean, I guess it's possible?
When you don’t really have a choice, you’re forced to put up with whatever is sent your way. Apple knows this and is taking full advantage of it.
From the creators of "Privacy is a fundamental human right", "if it's free you are the product", "all data stays in your phone", "we wouldn't be in that situation", etc, etc, etc.
Doesn't matter if you prove over and over the amount of bs Apple's PR team puts out on privacy. Why would they do anything being a stockholder driven company? they will squeeze consumers to death in the most greedy ways.
You want to buy their products? by all means do so, just do yourself a favor, and don't come here blowing smoke about how you trust apple because of "Privacy™" 🤣
Doesn't matter if you prove over and over the amount of bs Apple's PR team puts out on privacy. Why would they do anything being a stockholder driven company? they will squeeze consumers to death in the most greedy ways.
You want to buy their products? by all means do so, just do yourself a favor, and don't come here blowing smoke about how you trust apple because of "Privacy™" 🤣
Did you read the article? ArsTechnica makes it pretty clear that it is the VPN app causing this... But don't let me stop you from screaming at Apple. We all know big companies are in the business of making themselves $ only. You'd be kidding yourself to think that they hold a customer first mindset, so, I hear you.
Do they do some split tunneling by design (the VPNs, that is)? I could see some traffic needing to be outside the tunnel, like when you're trying to print something to a local printer that's Wi-Fi-connected.
Dignity is not your strongest feature.
If you mean you lack reading comprehension, then we both agree there. How is it Apple's fault if a VPN app doesn't do what it promises? But don't let me stop you from Apple hate. It's addicting and it makes MR $ so win win.
Last edited:
This is the same reason Apple wanted to scan the images on people's phones.
Apple are in bed with the US security services, and have been for years. They even admitted it after the Snowden stuff went down: "We don't give the NSA direct access to our servers." They added "direct" as a sleight of hand, to make it seem like they were saying they don't give the NSA access to their servers, when in fact they were admitting the NSA has a network tap on their data.
Apple want your data to leak so you can be spied on, just like they want security scanning on your phone.
And they get away with all this because people fall for their dumb virtue signalling marketing.
Apple are in bed with the US security services, and have been for years. They even admitted it after the Snowden stuff went down: "We don't give the NSA direct access to our servers." They added "direct" as a sleight of hand, to make it seem like they were saying they don't give the NSA access to their servers, when in fact they were admitting the NSA has a network tap on their data.
Apple want your data to leak so you can be spied on, just like they want security scanning on your phone.
And they get away with all this because people fall for their dumb virtue signalling marketing.
What’s new in privacy - WWDC22 - Videos - Apple Developer
At Apple, we believe that privacy is a fundamental human right, and protecting people's privacy is at the center of everything we do...
"At Apple, we believe that privacy is a fundamental human right, and protecting people's privacy is at the center of everything we do."
... except you know, at the core level where we leak data like a sieve when using VPNs
Before the haters skewer me, understand that if this has been reported for 2 years, this is definitely far, far beyond the "center of everything we do" at apple. It's an outright service fault, a data leak, a real, reported problem with core architecture that has been unresolved. Apple deserves a kick in the pants to fix this ASAP.
I am not sure why you think think the workarounds (airplane mode to sever connections) would be disruptive. Or any more distruptibe that what people seem to think should happen automatically - sever all connections and reconnect though the tunnel.
For the most part the VPN apps are simply front ends to the iOS native VPN and I am sure there are internal whitelisted sites for iCloud, Find My, or other Apple internal processes. And I am equally sure that whitelisted traffic is encrypted.
The original purpose of VPNs was for remote business users to access their corporate services. Split tunnels were part of the original spec. Having to disconnect VPN to print on my local network or check my private email that is blocked by corporate policy is a pain. Splitting VPN and local or whitelisted traffic is easy, secure, and solves the inherent problem of all traffic routing through one pipe. Besides the inherent slowdown of routing traffic through other servers it is very easy to get caught by corporate security filters when doing seemingly innocuous search queries while connected. I've been caught for visiting unsafe, gambling, and even porn sites when searching for a a coding question and traveling off links from CodeProject. Sometimes an ad on a legitimate site will trigger corporate content filters. And then you are flagged and possibly dealing with policy violation issues. Now, if only iOS gave us some way to manually edit the whitelist.
This really is a lot of nothing. If you using a VPN for location hiding or spoofing then just be sure to create the tunnel before openinf Netflix. Or manually cycle any already open connections.
If you are one of the people using VPN to protect yourself or your sources as other comments have mentioned I would hope that are diligent about recreating all connections regardless of what iOS is doing with the tunneling.
edit: typos from initial post via iPhone and some clarifications.
Last edited:
