VPNs for iOS Are Broken and Apple Knows It, Says Security Researcher

[grjj]

This is simply false. The initial point of VPN lies in its name, its supposed to create a virtual private network. The main purpose of a VPN is to enable private IP addresses to be able to talk with each other, as private IP addresses are not routable on the public Internet.

If a company has 172.16.0.0/12 as their local subnet at work, and some employer needs to access internal resources when being outside the corporate network they would utilise a VPN to have an encrypted connection from their device to the firewall at their corporation making it possible said employer to reach resources within this private subnet which would otherwise be impossible.

And this is obviously going to be encrypted so you don't have data that would otherwise be local data within the corporation traverse the public internet for everyone to see.

Hiding your location was never the intent of a VPN. But VPN has evolved since its inspection, and today its often being used to not only route specific private subnets, but to route all traffic from a device thus making it into a privacy tool and possible to be used to make it look like you are coming from a different IP address with a different geo-location.

You said what what I wrote was false then proceeded to say exactly what I said in a different, more technical way.

A VPN was designed to let you remotely access corporate network assets while away from the office. I didn't go into the technical details that you did because the methods aren't relevant.

I didn't say that hiding one's location was the initial intent, but accessing corporate networks means that you're making it look like ytou're in the office when you're not.

It's the combined abilities of virtually appearing to be in different location and to hide the nature of your communication that have been co-opted by modern VPN companies to ostensibly make you more secure.

 

[BradPDX]

The article doesn't make it clear if this issue can be addressed by VPN makers, or if it is entirely an issue on Apple's end of things. Just gonna wait and see.

 

[Shh]

The article doesn't make it clear if this issue can be addressed by VPN makers, or if it is entirely an issue on Apple's end of things. Just gonna wait and see.

It's entirely Apple's fault, just like they have many apps that ignore the VPN in macOS. VPN security is clearly not their priority. This hasn't been addressed in years.

 

[napisal]

Not to mention that there’s another bug with Open VPN protocol that is not being fixed since iOS 9. Due to this bug, App Extensions can’t control VPN using custom protocols – Siri Intents Extension in this case, in order to run shortcuts in the background. Only native VPN protocols work (IKEv2, IPsec etc.). The outcome is that Siri Shortcuts for VPN don’t execute in background.

 

[DesignTime]

No need to worry. Apple was just waiting for all their employees to be back in the office before fixing this.

 

[Sophisticatednut]

The article wasn’t entirety clear on where the fault ultimately lay. So if VPN apps don’t work right on iOS, why then are the parent companies still offering them for sale on the iOS App Store, much less keeping quiet about it?

The article was pretty clear it’s an exclusive iOS issue that VPN makers can’t fix.

iOS fails to close down existing network connections and route them through the VPN. An issue only existed in iOS 13,14 and 15

 

[mjs916]

Looks like we’re seeing the birth of Apple’s next class action lawsuit.

I had the same thought. I can see the headlines and YouTuber 😲 video thumbnails now.

 

[maxoakland]

This is really, really bad. A major scandal the likes of which I don't think Apple's ever had

Just the privacy implications for all Apple users is enough but the human rights abuse possibilities alone for political dissidents is what's really horrifying

Is this seriously what you took from the article?

Bootlickers gonna lick boots

It's entirely Apple's fault, just like they have many apps that ignore the VPN in macOS. VPN security is clearly not their priority. This hasn't been addressed in years.

I was giving Apple the benefit of the doubt that this was a mistake but the fact that it's happening in MacOS and iOS makes it seem more intentional and malicious. Especially since the bug has been reported for years.

The more I learn about the situation the worse it gets

 

[t0rqx]

This is the backdoor for governments. This is also the way to earn ads revenue.

 

[beerseagulls]

I honest didn't realize that Apple's VPN was the problem. I always blame it on my ISP or mobile carrier and called to yell at them... Now I feel bad.

 

[vegetassj4]

You’re endpointing it wrong…

 

[beermode]

So VPN companies have hawked their apps for years despite knowing fully well that they didn’t work very well on iOS, and it’s Apples fault that developers weren’t being 100% honest with us?

Some of you are unbelievable. Apple can do no wrong. It's APIs dude.

 

[6787872]

I've been following this situation on a few forums, and it's debatable that Apple "screwed up VPN", really. The first thing people need to understand is that a VPN can be used for 2 completely different purposes. Some people use it as a method of accessing company resources behind a firewall. Others rely on it as a privacy tool, to hide all of their Internet traffic's true source location.

The iOS implementation of VPN works just fine for the former use-case, but maybe not so well for the later.

From what I read from a couple of people who packet-sniffed the traffic to learn more about it? What they observed was that certain network connections coming from iOS itself and its services continued to communicate outside the VPN after the VPN was connected. (There was data going out on port 443 to both an Apple and a Microsoft server as well as a bit of traffic going to some high numbered ports to another Apple server.) On the other hand? Applications like "WhatsApp" that were started before the VPN was connected stopped showing up as communicating outside the VPN tunnel, after it was established.

It sounds to me like Apple purposely designed things so they're keeping some of their iOS traffic from traveling through a VPN connection (maybe things like FindMy, notifications, etc.). Beyond that? If people are seeing other apps not switching to using the VPN when it's connected, it could be bugs with how those applications handle changes in connection status? Obvious solution there is to make sure you connect your VPN *before* you launch your apps that need to securely communicate through it.

great write up but this part -

Obvious solution there is to make sure you connect your VPN *before* you launch your apps that need to securely communicate through it.

it shouldn't be this way nor is it obvious. if apple doesn't want to route everything, the best solution otherwise is a toggle switch in settings per-app.

 

[dk001]

Agreed, it is definitely possible. The ArsTechnica article seems to focus on one VPN company specifically tho.

I remember one of the VPNs I used in the past on iOS had a kill switch and that resulted in a lot of apps thinking I had no internet connectivity so I ended up just not using it. In all the years I've used Android and iPhone - VPN on mobile devices hasn't been the greatest experience.

I'd be super surprised to see Apple go out of its way to correct ProtonVPN's VPN handling. It would be nice and appreciated. I can't imagine how many people rely on services like this.

Proton made users aware of this a while back (2020) and the AM trick. Maybe Proton is the only one really talking about it?

 

[BigMcGuire]

Proton made users aware of this a while back (2020) and the AM trick. Maybe Proton is the only one really talking about it?

Definitely curious. You'd think if this was a problem with all VPNs that would be stated, instead of just mentioning 2 in the ArsTechnica article... <shrug>. I have more questions now than I did earlier this morning.

One definitely has to wonder. Fun seeing all these people who are SURE it is one way or the other.

Hopefully this gets someone to fix this and make life better/more secure for us all!

 

[dk001]

Shady VPN companies spend millions advertising how secure they are, knowing all along about this vulnerability and others not public. Everyone who was notified by their VPN companies about this issue and your risk raise your hand.

Since 2020. ✋

 

[dk001]

I don't read it like that, but it really doesn't matter that much. We just don't have enough info to place the blame squarely on the VPN's fault, or the OS. However, I expect the VPN guys to know about existing connections and what should be done about them. (it should actually be an option to either kill all connections, or let them be, as there really is a use case for keeping existing connections.)

What I would need to know, is if the OS's ip stack would allow a third party app to send a kill connection signal on other app connections, and this is where I suspect the problem is -- the VPN isn't being allowed to kill the connections. It sounds so like apple and their allowing their own app connections to bypass a VPN. I knew about the existing connections problem, but I actually have a bigger beef with what the IP stack doesn't pass thru, but that's a whole different discussion.

If I remember correctly this was (or something like it) an issue on the Mac and Apple changed that back in 2021.

 

[dwaite]

I wonder how many 'bad guys and bad girls' lost their lives due to thinking they was safe using a VPN on their Apple iphone only that they were not safe because their iphone was leaking there true IP address to anyone that was watching/investigating them (other bad guys and bad girls).

Just a guess - nobody?

 

[dwaite]

While this is bug that should get fixed you have to recall that for the initial intent of VPN this is not really an issue. A VPN was designed and intended to make your machine look like it's on another network in another location.

Almost correct - a VPN tunnel is meant to give you _access_ into another network. Like your example - VPN in to a corporate network which is otherwise inaccessible. Thats why it is called a virtual private network.

Apple supports this just fine. What they don't support is saying - all network traffic, including traffic which may be more efficient to send in another way or which there may be an existing socket already established, will now only go over VPN.

There are a lot of other examples of this - for instance, the phone will switch to cellular if wifi is broken. The VPN is just another network connection with its own priority for routing.

For the overwhelming majority of people, even if your traffic (likely https, or other SSL encrypted data) bypasses the VPN the only thing anyone between you an the server can see is that you are connecting to the server, the data itself is most likely still secure and private.

Yep. Many enterprise VPNs will not route (or even resolve) external addresses. Why do they want all of Youtube going through their corporate firewall?

Hell is being on a VPN and trying to hit a site with both internal and external DNS records.

VPNs aren't the magic panacea of privacy that those who sell them to you want you to believe they are unless you 100% trust the admins there to not be snooping on you for thier own gains.

This as well. The Apple private relay actually is implemented in multiple stages (and deployed by different vendors) so that no party knows all of your Apple ID/hardware identifiers, where you are coming from, and where you are going to.

Using a typical VPN for privacy, however, only makes sense when you can trust your VPN vendor more than your ISP - and in this age of TLS usage that really means more about metrics (DNS lookups, server activity).

 

[kognos]

Just a guess - nobody?

There are two vendors, really, in the mobile space.

If you're going to take security seriously, you simply don't have problems like this. Or, at the minimum, you take these problems very seriously and quickly. If you don't, you drive people to the other vendor by default.

For security conscious people, a lack of response in this space is synonymous with no security.

If someone were to really have a personal great impact as a result of this, the implications to the vendor would be far, far worse. So the strawman argument of "well it hasn't killed anyone -- yet" is not a safe haven to start your argument from.

Two years and counting.

 

[JippaLippa]

Everbody knows that, unless you're an expert on private security, you cannot become completely private or untraceable.

That said...having a paid service not working as advertised, it's pretty grim...

That said it's pretty weird that no VPN company (there are loads these days) has ever mentioned this it seems...
I know it's counterintuitive business wise, but still...

 

[dwaite]

... except you know, at the core level where we leak data like a sieve when using VPNs

Before the haters skewer me, understand that if this has been reported for 2 years, this is definitely far, far beyond the "center of everything we do" at apple. It's an outright service fault, a data leak, a real, reported problem with core architecture that has been unresolved. Apple deserves a kick in the pants to fix this ASAP.

This is likely not considered a bug.

VPNs are meant to give access to private networks. They were not created to shovel data halfway around the globe and back, data meant for the public internet, to hide an IP address.

 

[kognos]

This is likely not considered a bug.

VPNs are meant to give access to private networks. They were not created to shovel data halfway around the globe and back, data meant for the public internet, to hide an IP address.

A VPN is designed to tunnel networking from an endpoint to an endpoint. It doesn't matter where the target is - the other end of that endpoint. Sometimes it's a workplace, sometimes it's a location, etc.

VPNs are used to allow the source to channel data from the source using that tunnel to the target. So if I were in Starbucks, I could use a VPN to connect to work, knowing that all of my data was encrypted to be sent using the VPN tunnel to my work.

We are saying the same thing, but I strongly believe it's a bug within IOS that the data from the source endpoint is not being sent along the endpoint. This is fundamentally what the original article is about. When using a VPN (split-tunneling and exceptions notwithstanding), you EXPECT all data to use that VPN.

It's not about hiding the IP address, and it's not really meant to bypass the internet. It's about obfuscating the data that is sent so that anything outside of that tunnel cannot observe / read that traffic.

Lets not all start redefining this report as if it's really not a problem. It absolutely is. Network routing using a VPN should not fundamentally allow adhoc changes in destination as reported by the original author.

When I set up a VPN, and I expect ALL traffic to flow via the VPN, ... I'm sorry to be simple but ALL = ALL. What is being reported is that ALL changes to "Mostly ALL" or "Some" ... without any knowledge from the user. That's a hole. Again, VPNs are pretty intelligent nowadays, and I'm not counting split tunnels or exceptions, but this is basic network routing logic that has been around forever with target gateways.

 

[dwaite]

The VPN company is secure in and of itself.

If the OS from which the VPN is running is not secure, that is an entirely separate problem. It is also not the responsibility of VPN vendors to secure those platforms.

In other words, when you send data through the VPN tunnel, it is as secure as the VPN provider claims it is. In this case, the user assumes the VPN is being used, but it is not. VPN is still secure, the OS is diverting data without anyone's knowledge. Flaw in OS.

Incorrect. They sold their products specifically to solve a problem. They provided an app in the App Store to turn it on and off, with a big green mark once turned on.

That app doesn't solve the problem they marketed that it did, it doesn't solve the problem when turned on as they represented it does. They didn't warn their customers when they knew that their product was deficient.

They don't get a pass for this sort of stuff just because 'Apple doesn't let our product do what we claimed it did'. Apple doesn't let companies do all sorts of stuff they'd like to with/to iOS devices.

 

[kognos]

Incorrect. They sold their products specifically to solve a problem. They provided an app in the App Store to turn it on and off, with a big green mark once turned on.

That app doesn't solve the problem they marketed that it did, it doesn't solve the problem when turned on as they represented it does. They didn't warn their customers when they knew that their product was deficient.

They don't get a pass for this sort of stuff just because 'Apple doesn't let our product do what we claimed it did'. Apple doesn't let companies do all sorts of stuff they'd like to with/to iOS devices.

I'm not really quite sure the point you're making here, but the VPN vendors don't have responsibility to the API viability within IOS. They just secure themselves. If IOS doesn't work right, or they can't get network routing correct at the core level of IOS, or IOS can't route data consistently using the VPN, that's not an ISVs fault. All an ISV can do is utilize an API, provided by Apple, written by Apple, supported by Apple.

Edit: My quote was that the VPN in and of itself is secure - it does what it attests to do. At least on operating systems other than IOS. Because... APIs. Considering that multiple VPNs have this issue with IOS based VPNs, at least from where I'm sitting, this isn't a VPN problem. It's an Apple problem.