Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
VPNs for iOS Are Broken and Apple Knows It, Says Security Researcher
- Thread starter MacRumors
- Start date
- Sort by reaction score
As with anything Apple this is a flaw due to how internally the company used its own products and platform.
For those of you that have worked for the company, you’d understand what I mean as this has specific flaw has everything to do with the fact that Apple used AppleConnect internally for VPN access to its own severs and all of its internal apps go through that App for authentication.
It works for Apple’s own implementation of a VPN internally but doesn’t work externally because apps don’t trigger a VPN when they reach out to the internet on iOS device.
For those of you that have worked for the company, you’d understand what I mean as this has specific flaw has everything to do with the fact that Apple used AppleConnect internally for VPN access to its own severs and all of its internal apps go through that App for authentication.
It works for Apple’s own implementation of a VPN internally but doesn’t work externally because apps don’t trigger a VPN when they reach out to the internet on iOS device.
A [working] VPN connection and privacy should be a universally accepted basic human right
Minimally, all app developers must adhere to APIs provided by Apple. Since this is reproduced from multiple VPNs installed on multiple versions of IOS, one could assume that not all of them are goofing up the implementation of the API. It is conceivably possible that Apple has a problem here, and not just a single vendor.
And for all that Apple does to claim they care about security and privacy, to ignore this report for 2 years deserves some grief. I mean, I half expect Apple to come back and say "You're VPN-ing it wrong." or "you need to be using this undocumented, unreleased API feature, and yes, it's the all of the app developer's fault".
That might well be your opinion. It might be mine. But it is not the opinion of at least ten countries:
10 countries that have banned VPNs: China, Russia, Belarus, North Korea, Turkmenistan, Uganda, Iraq, Turkey, UAE, and Oman.
https://www.webhostingsecretrevealed.net/blog/security/are-vpns-legal/
Agreed, it is definitely possible. The ArsTechnica article seems to focus on one VPN company specifically tho.
I remember one of the VPNs I used in the past on iOS had a kill switch and that resulted in a lot of apps thinking I had no internet connectivity so I ended up just not using it. In all the years I've used Android and iPhone - VPN on mobile devices hasn't been the greatest experience.
I'd be super surprised to see Apple go out of its way to correct ProtonVPN's VPN handling. It would be nice and appreciated. I can't imagine how many people rely on services like this.
I highly doubt that, as the article and researcher state this has been an issue for over two years. Isn’t private relay a new addition to iOS 15?
Unbelievable! This iOS bug I just discovered is why my F1 app wouldn’t Airplay when using a VPN, just tried the airplane mode trick and worked fine! I thought the app was blocking, it, and it turns out it’s Apoles bug to cause VPN’s to be insecure.. I wonder of the VPN providers can sue Apple if they can prove it’s a known bug for over 2 years with no fix?
At least the airplane mode trick seemed to work.
At least the airplane mode trick seemed to work.
If I recall Apple has released a lot of new features since iOS 15 surrounding IP traffic, like hiding your tracking, hiding your IP if selected etc. So I won’t be surprised if you are correct.
From the arstechnica article:
"Horowitz tested again on iOS 15.5 with a different VPN provider and iOS app (OVPN, running the WireGuard protocol). His iPad continued to make requests to both Apple services and to Amazon Web Services."
I'd be interested in a bit more uniform testing across other VPN vendors, but it definitely went to at least two vendors reproducing the same issue, and at this point I'm willing to strongly assume/suspect we would see similar results due to the overall API restrictions in IOS.
VPN: Virtual Private Network.
VPN use cases: to securely gain access to protected, restricted systems.
mY oFfIcIaL vPn UZE kAsE: to bypass geographic/geopolitical restrictions and break the law at multiple locations.
And yet, it is Apple’s fault for the user not having a clue about how the IP stack works at any Windows and Unix systems, but blindly trusts the VPN advertisement they saw on their favorite YouTuber/TikToker that also has no clue, but got a fat paycheck to spread the word about “sEcUrItY” and “PrIvAcY”.
“bUt I hEaRd A sEcUrItY pErSoN rEpOrTiNg It”.
Bring up more pitchforks and torches to burn it all to the ground. We don’t have enough yet.
VPN use cases: to securely gain access to protected, restricted systems.
mY oFfIcIaL vPn UZE kAsE: to bypass geographic/geopolitical restrictions and break the law at multiple locations.
And yet, it is Apple’s fault for the user not having a clue about how the IP stack works at any Windows and Unix systems, but blindly trusts the VPN advertisement they saw on their favorite YouTuber/TikToker that also has no clue, but got a fat paycheck to spread the word about “sEcUrItY” and “PrIvAcY”.
“bUt I hEaRd A sEcUrItY pErSoN rEpOrTiNg It”.
Bring up more pitchforks and torches to burn it all to the ground. We don’t have enough yet.
Well this isn't good at all. I would hope that Apple fixes this but it has been 2 years already. Unless Apple intentionally designed iOS to use split tunneling by default.
Looks like we’re seeing the birth of Apple’s next class action lawsuit.
These negative articles by security people are ridiculous. Their attitude is "anything less than 100% security is unacceptable."
That isn't really true, unless you're one of the few thousand people that are being targeted by the government. And even then, it's unlikely that this issue will affect you. Do you have an ANSI-1 locks on your doors? If not, then you shouldn't care.
Although network transitions should cause everyone to re-establish their persistent connections, this also could allow a malicious actor to easily MTM all network traffic of the device...which is the downside to the "feature."
Simple workaround: quit all your messaging apps after connecting to a VPN...or restart your phone then start your VPN.
That isn't really true, unless you're one of the few thousand people that are being targeted by the government. And even then, it's unlikely that this issue will affect you. Do you have an ANSI-1 locks on your doors? If not, then you shouldn't care.
Although network transitions should cause everyone to re-establish their persistent connections, this also could allow a malicious actor to easily MTM all network traffic of the device...which is the downside to the "feature."
Simple workaround: quit all your messaging apps after connecting to a VPN...or restart your phone then start your VPN.
The USA isn't the only country in the world.
Shady VPN companies spend millions advertising how secure they are, knowing all along about this vulnerability and others not public. Everyone who was notified by their VPN companies about this issue and your risk raise your hand.At my level of government I can even see what your doing on a VPN so I wouldn’t worry. VPN’s aren’t as secure as the common folks think…
Ah I’m just screwing with you, you can take your tin foil hat off
Last edited:
The VPN company is secure in and of itself.
If the OS from which the VPN is running is not secure, that is an entirely separate problem. It is also not the responsibility of VPN vendors to secure those platforms.
In other words, when you send data through the VPN tunnel, it is as secure as the VPN provider claims it is. In this case, the user assumes the VPN is being used, but it is not. VPN is still secure, the OS is diverting data without anyone's knowledge. Flaw in OS.
You are wrong here. Apple has a policy to not allow fraudulent apps on its store right? It claims to vet every single app on the store for its legitimacy yes? This issue is affecting ALL VPN’s from small ones to well established brands.
It allows VPN’s because Apple full well knows it is its fault or by its design that they do not work correctly. And I don’t know but I’ll take a guess here that their are clauses in the contracts VPN ‘s have with Apple to sell their services which prevent them from publicly calling out Apple.
So please do not just accuse other companies for something Apple is fully aware of and allows to happen daily, for over 2 years now. VPN’s are working fine on other platforms. Apple are the ones at fault, not the VPN companies.
So much incorrect here.
We expect what is attested to work, to work as expected. If you turn the deadbolt on your door, you expect it to lock. If sometimes you turned it, and it failed to lock, and you didn't know, you would have issue. Same here. It's not 100% security in all things, it's just a binary operation.
But even if you take that at face value, yes - we expect security operations to work as expected. This is not that.
A VPN is designed to divert network traffic for the most part (split-tunnel and other exceptions notwithstanding). When you turn it on and it fails to function as expected, it's a fault. Nothing more, nothing less. However, it's a fault that has been reported for 2 years with no response from a company that vigorously attests even in courts that they won't do customer demanded actions for open storefronts and sideloading under the guise of "security and privacy" and yet turns a blind eye to actual security and privacy technical problems. Just an example, not trying to deflect. Apple does huge publicity on how much they care about security and privacy. This is egg on face.
Workarounds are acceptable bandaids when problems are reported, acknowledged, and solutions forthcoming. In this case, there is not any of that. We just know the problem exists with no recourse at all from Apple. Not an acceptable "workaround" now.
Proton found it already in iOS 13. AFAIR, there was no iCloud private relay at that time.
And a security researcher should know (and understand the consequences) if he is using iCloud private relay...
Gotta agree here that Apple needs to spend more time fixing their networking code and less time removing useful features and adding ones nobody asked for. I've long noticed that the networking on iOS is, uh, not great. And it was never a good idea and is beyond time to repeal that stupid idea that somehow showing MAC addresses of devices on the network is a security issue. A lot of very poor decisions made, all the while ignoring real underlying problems.
Not just for privacy but for business, people connect to VPNs to access the services behind those VPNs so if it can't route traffic reliably, it's not much use.
Not just for privacy but for business, people connect to VPNs to access the services behind those VPNs so if it can't route traffic reliably, it's not much use.
I don't read it like that, but it really doesn't matter that much. We just don't have enough info to place the blame squarely on the VPN's fault, or the OS. However, I expect the VPN guys to know about existing connections and what should be done about them. (it should actually be an option to either kill all connections, or let them be, as there really is a use case for keeping existing connections.)
What I would need to know, is if the OS's ip stack would allow a third party app to send a kill connection signal on other app connections, and this is where I suspect the problem is -- the VPN isn't being allowed to kill the connections. It sounds so like apple and their allowing their own app connections to bypass a VPN. I knew about the existing connections problem, but I actually have a bigger beef with what the IP stack doesn't pass thru, but that's a whole different discussion.