VPNs for iOS Are Broken and Apple Knows It, Says Security Researcher

[dwaite]

If a company has 172.16.0.0/12 as their local subnet at work, and some employer needs to access internal resources when being outside the corporate network they would utilise a VPN to have an encrypted connection from their device to the firewall at their corporation making it possible said employer to reach resources within this private subnet which would otherwise be impossible.

And this is obviously going to be encrypted so you don't have data that would otherwise be local data within the corporation traverse the public internet for everyone to see.

Just a clarification, MOST standardized VPN protocols do not define encryption, and the operating systems are happy to let you set up unencrypted tunnels. This is one of the severe problems with VPN support in operating systems - the encryption piece is highly desirable, but generally proprietary to each product.

The reason Apple allows VPN apps in their store isn't because of consumer value, but because the apps implement the proprietary bits of the VPN products. Ironically, MOST of these apps and services are just OpenVPN behind the scenes.

 

[chucker23n1]

Just a clarification, MOST standardized VPN protocols do not define encryption,

Even PPTP was encrypted two decades ago.

The reason Apple allows VPN apps in their store isn't because of consumer value, but because the apps implement the proprietary bits of the VPN products.

iOS doesn't implement a lot of VPN protocols, so it's good that they've eventually (ca. iOS 9?) allowed third parties to fill in the void.

Ironically, MOST of these apps and services are just OpenVPN behind the scenes.

Yes, but OpenVPN itself isn't actually included in iOS. If you use an entirely open-source, non-proprietary OpenVPN solution, you still need an app in iOS to actually use it, because iOS does not ship that protocol at all.

 

[3xBoom]

So, how do I check if my vpn works as intended or only pretends to?

 

[chucker23n1]

This is likely not considered a bug.

If:

• without the VPN, a route to IP address 1.2.3.4 gets handled through the ISP,
• with the VPN, the route gets replaced by one handled by the VPN server,
• a connection exists before connecting to the VPN,
• after connecting, that connection continues to exist, with the now-outdated route,

then that's at least a problematic behavior, if not outright a bug.

 

[Bogstandard]

I'm confident that that a solution to this problem will be announced to us by Apple.
But first, a back door must be created to appease the almighty host.

 

[kognos]

So, how do I check if my vpn works as intended or only pretends to?

Set up your phone to be wifi only,
Start VPN on your phone
Inspect all traffic on your wifi network gateway to determine over time if there is traffic that is going from your phone to any destination other than the vpn target. May take a while (per the article). I'd do a day of logging.

 

[Arnold Ziffel]

We’re suckers to believe that privacy exists on the Internet.

Describing devices as “smart” is misleading—they ain’t smart, they’re just connected.

 

[HQuest]

So if I were in Starbucks, I could use a VPN to connect to work, knowing that all of my data was encrypted to be sent using the VPN tunnel to my work.

The iOS does not shut in progress sessions down when a VPN tunnel is established, and that is not inherently a bug since a change in the local device routing protocol where the previous path is still available is expected to work on any standard IP based implementations. None of the RFCs governing tunnels such as GRE or IPSec have such requirement, therefore this is up for the implementation software company to extent its security model as they see fit.

This can at best be considered an oversight, since the iOS Network API could notify the application owner of such session of the routing change, and force the application to reload and securely resume the data transfer with this new session now open um over the tunnel, instead of shutting the session down with a reset to the application and forcing the user to take action, or just blindly letting data go unsecured thru the now secured connection. But calling it a bug is pure clickbait.

 

[Hkfan45]

Another reason why apple needs to focus on software not hardware. It’s software is junk, plain and simple.

 

[russell_314]

Errrm. Have you not read the article?

Here let me quote you the very first sentence of MR's article:

You are also apparently unaware of the draconian levels of surveillance in some countries. So as a traveller you need a trustworthy secure VPN to do some very basic and I'll add perfectly legal things…
So all it takes is just one slip up and you are exposed and compromised.

Now, admittedly you might not have a problem with that, so each to their own.

I know this is a bad problem but if you think some $99 a year VPN is going to keep your traffic secure from a nation state…. Umm that’s just not how things work.

It’s great for avoiding kids at Starbucks trying to catch your Internet traffic and you might bypass the parental controls of the fruit company resort that you were visiting but don’t think your traffic is secure. Anything you’re doing online is visible to governments. It’s just a matter of is what you’re doing annoying enough for them to crush you. Be careful out there!

 

[russell_314]

Another reason why apple needs to focus on software not hardware. It’s software is junk, plain and simple.

Actually I would disagree with you. Their hardware is OK and sometimes great but where they really shine is their operating systems. I have the M2 MacBook Air and if it ran Windows I wouldn’t have bought it. I also have an iPhone 13 Pro Max. Again if it ran android I wouldn’t have bought it.

 

[cupcakes2000]

The solution is to use tor, rather than a VPN, if privacy or attempting to be anonymous is your concern. Tor exists on iOS, but is flawed in a few ways. Those looking to surf the internet or communicate with the maximum of privacy or the maximum of anonymity are not going to be using any mobile phone to do so, and they certainly aren’t using a VPN in any case.

So it’s a real true to life non issue with regards to this particular aspect of it and some of the hyperbolic posts in this thread related to it.

A VPN is good for hiding general browsing from your ISP and changing the location of where you’re based for streaming or shopping purposes. That’s it, and this issue does nothing to affect that.

 

[buklauu]

My suspicion is that Apple intended its VPN feature primarily for the former use case, connecting to a corporate network for work, and not for extreme privacy requirements.

Funny oversight for the privacy company.

 

[Macaholic868]

It seems to me that all Apple has to do is either add an option to iOS that kills and reconstitutes all connections once a VPN connection is made or build that option into its API to allow the software vendors to control how their own client will handle it (a universal option in the settings for the app, an option on a VPN by VPN basis if you connect to more than one, or to have the developer simply make that call for you and always kills existing connections or never kill them, etc.)

It seems like it’s simply a poorly thought through portion of the VPN API that Apple hasn’t bothered to address because nobody seemed to notice or care up until now.

A wise man once said something like “Never attribute to malice that which can be more easily explained by stupidity” for a reason after all

 

[Abazigal]

I'm not really quite sure the point you're making here, but the VPN vendors don't have responsibility to the API viability within IOS. They just secure themselves. If IOS doesn't work right, or they can't get network routing correct at the core level of IOS, or IOS can't route data consistently using the VPN, that's not an ISVs fault. All an ISV can do is utilize an API, provided by Apple, written by Apple, supported by Apple.

Edit: My quote was that the VPN in and of itself is secure - it does what it attests to do. At least on operating systems other than IOS. Because... APIs. Considering that multiple VPNs have this issue with IOS based VPNs, at least from where I'm sitting, this isn't a VPN problem. It's an Apple problem.

They have a responsibility to make sure their product works right on the hardware their app is available on, because these companies are the ones getting my money at the end of the day, not Apple.

If they can’t ensure this, then perhaps their VPN apps ought to come with a disclaimer, or perhaps not even be made available on iOS in the first place.

The main takeaway from all this is really that there’s little reason to subscribe to a VPN service on iOS. I haven’t yet, and I likely won’t. Whether it’s an Apple problem or not is irrelevant. Your product model just isn’t viable, period.

But come to think of it, the article doesn’t really touch on the ramifications of this in terms of privacy. Is the data leaked sufficient to identify you/your device? Is the data leaked sufficient to be useful to a bad actor?

 

[cupcakes2000]

They have a responsibility to make sure their product works right on the hardware their app is available on, because these companies are the ones getting my money at the end of the day, not Apple.

If they can’t ensure this, then perhaps their VPN apps ought to come with a disclaimer, or perhaps not even be made available on iOS in the first place.

The main takeaway from all this is really that there’s little reason to subscribe to a VPN service on iOS. I haven’t yet, and I likely won’t. Whether it’s an Apple problem or not is irrelevant. Your product model just isn’t viable, period.

This is why a huge majority of VPNs are a basically a scam.

They’re not really considered as privacy protecting in privacy circles in any case.

As I mentioned a few posts ago, Tor is the preferred method for anything more serious than hiding general browsing from your isp, or changing your location from streaming or shopping purposes.

I use Protonmail, and recently they changed their pricing model so I get ProtonVPN for free. So I use it for streaming and general browsing as I trust them more than my ISP. But there is no way I or anyone else would(should) trust their lives on browsing using any VPN on any system, especially a phone.

So a huge overblown issue by people that think they know about something they don’t really know about. Or, you know, someone who runs a VPN company.

 

[russell_314]

The main takeaway from all this is really that there’s little reason to subscribe to a VPN service on iOS. I haven’t yet, and I likely won’t. Whether it’s an Apple problem or not is irrelevant. Your product model just isn’t viable, period.

Well maybe that's your main takeaway from it. I find a VPN quite useful on iOS. It gets around annoying parental controls on public WiFi. I'm not talking about those sites... It's stupid the categories of sites that some public WiFi block.

If you read the article it just doesn't terminate old connections. That doesn't make the VPN useless. Just pop on Airplane mode, off in ten seconds and guess what... All connections are going through the VPN

 

[buklauu]

Actually I would disagree with you. Their hardware is OK and sometimes great but where they really shine is their operating systems. I have the M2 MacBook Air and if it ran Windows I wouldn’t have bought it. I also have an iPhone 13 Pro Max. Again if it ran android I wouldn’t have bought it.

I don't think most people would agree. Sure, after years and years of Apple Silicon, the improvements are diminished, but even since the iPhone 5, Apple Silicon was considered bleeding edge:

Anandtech:

When it comes to hardware, Apple behaves very much like a high-end Android smartphone vendor by putting the absolute fastest silicon on the market in each generation of iPhone.

And that was just the beginning of their increasing leads in performance/battery life.

 

[Abazigal]

m
If you read the article it just doesn't terminate old connections. That doesn't make the VPN useless. Just pop on Airplane mode, off in ten seconds and guess what... All connections are going through the VPN

Or so we hope.

 

[russell_314]

I don't think most people would agree. Sure, after years and years of Apple Silicon, the improvements are diminished, but even since the iPhone 5, Apple Silicon was considered bleeding edge:

Anandtech:

And that was just the beginning of their increasing leads in performance/battery life.

I'm not saying Apple Silicon isn't good because obviously I buy it. I bought an M1 iMac and now the M2 Air. What I'm saying is the hardware isn't as an important factor as the OS. macOS is what makes a Mac a Mac and iOS makes an iPhone an iPhone. Fast processors are great but without the OS it would not be good. I would buy an Intel i3 MacBook over an Apple Silicon Windows PC.

 

[dk001]

The solution is to use tor, rather than a VPN, if privacy or attempting to be anonymous is your concern. Tor exists on iOS, but is flawed in a few ways. Those looking to surf the internet or communicate with the maximum of privacy or the maximum of anonymity are not going to be using any mobile phone to do so, and they certainly aren’t using a VPN in any case.

So it’s a real true to life non issue with regards to this particular aspect of it and some of the hyperbolic posts in this thread related to it.

A VPN is good for hiding general browsing from your ISP and changing the location of where you’re based for streaming or shopping purposes. That’s it, and this issue does nothing to affect that.

Where are you going to find that?
The little Tor for iOS is only half baked (feature wise) compared to Windows/MacOS/Linux.

 

[Hkfan45]

Actually I would disagree with you. Their hardware is OK and sometimes great but where they really shine is their operating systems. I have the M2 MacBook Air and if it ran Windows I wouldn’t have bought it. I also have an iPhone 13 Pro Max. Again if it ran android I wouldn’t have bought it.

I love macOS but despise iOS. It’s such garbage compared with android.

 

[kognos]

They have a responsibility to make sure their product works right on the hardware their app is available on, because these companies are the ones getting my money at the end of the day, not Apple.

If they can’t ensure this, then perhaps their VPN apps ought to come with a disclaimer, or perhaps not even be made available on iOS in the first place.

This is kind of cyclical. I won't disagree with you, but you'd have to concede the problem isn't inherent to the app, nor is it unique to one app, nor is it easily repeatable or reproducible. Also it should never be the ISV responsibility to test that the OS actually works as expected. This was discovered by a security researcher. It can effectively be classified as improper privacy and security disclosure of data.

For example, if I use an API call to check where you are touching the screen, I should expect, as an app developer, that this crud actually works. Sure I can test it, but I'm not going to test every possible aspect of it. This responsibility falls to the API creator, in this case, APPLE.

Otherwise all apps would come with a disclaimer: "The included functions may not work based upon faulty APIs."

In this particular case, this was reported two years ago to Apple, so there you go. I think the liability isn't the app dev. Sure ISVs share this responsibility, and I bet there are contracts written here, but cmon. We all know that this walled garden is really really tight and no application has ring-0 access to anything. If you're going to reroute network traffic, it's definitely using an API.

 

[randomthoughts]

This article is referring to VPNs designed for privacy. Corporate VPNs are likely to work fine.

“Likely to work fine” and security don’t mix. You are likely to be fine running software with security vulnerabilities or sharing your password, or not using a VPN, it’s a risk, but the whole point of using a VPN is to be be certain you’re using a secure connection that is encrypted end to end and not face that risk.

Not having certainty of something doing what it is supposed to do is a problem.

 

[Colin2012]

Third-party VPNs made for iPhones and iPads routinely fail to route all network traffic through a secure tunnel after they have been turned on, something Apple has known about for years, a longtime security researcher has claimed (via ArsTechnica).

Writing on a continually updated blog post, Michael Horowitz says that after testing multiple types of virtual private network (VPN) software on iOS devices, most appear to work fine at first, issuing the device a new public IP address and new DNS servers, and sending data to the VPN server. However, over time the VPN tunnel leaks data.

Typically, when a users connects to a VPN, the operating system closes all existing internet connections and then re-establishes them through the VPN tunnel. That is not what Horowitz has observed in his advanced router logging. Instead, sessions and connections established before the VPN is turned on are not terminated as one would expect, and can still send data outside the VPN tunnel while it is active, leaving it potentially unencrypted and exposed to ISPs and other parties.
Horowitz claims that his findings are backed up by a similar report issued in March 2020 by privacy company Proton, which said an iOS VPN bypass vulnerability had been identified in iOS 13.3.1 which persisted through three subsequent updates to iOS 13.

According to Proton, Apple indicated it would add Kill Switch functionality to a future software update that would allow developers to block all existing connections if a VPN tunnel is lost.

However, the added functionality does not appear to have affected the results of Horowitz's tests, which were performed in May 2022 on an iPadOS 15.4.1 using Proton's VPN client, and the researcher says any suggestions that it would prevent the data leaks are "off base."

Horowitz has recently continued his tests with iOS 15.6 installed and OpenVPN running the WireGuard protocol, but his iPad continues to make requests outside of the encrypted tunnel to both Apple services and Amazon Web Services.

As noted by ArsTechnica, Proton suggests a workaround to the problem that involves activating the VPN and then turning Airplane mode on and off to force all network traffic to be re-established through the VPN tunnel.

However, Proton admits that this is not guaranteed to work, while Horowitz claims Airplane mode is not reliable in itself, and should not be relied on as a solution to the problem. We've reached out to Apple for comment on the research and will update this post if we hear back.

Article Link: VPNs for iOS Are Broken and Apple Knows It, Says Security Researcher

This is not a bug.It would be broken if it was a server VPN, but a client should be able to access anything on its network.