VPNs for iOS Are Broken and Apple Knows It, Says Security Researcher

Third-party VPNs made for iPhones and iPads routinely fail to route all network traffic through a secure tunnel after they have been turned on, something Apple has known about for years, a longtime security researcher has claimed (via ArsTechnica).

settings
Writing on a continually updated blog post, Michael Horowitz says that after testing multiple types of virtual private network (VPN) software on iOS devices, most appear to work fine at first, issuing the device a new public IP address and new DNS servers, and sending data to the VPN server. However, over time the VPN tunnel leaks data.

Typically, when a users connects to a VPN, the operating system closes all existing internet connections and then re-establishes them through the VPN tunnel. That is not what Horowitz has observed in his advanced router logging. Instead, sessions and connections established before the VPN is turned on are not terminated as one would expect, and can still send data outside the VPN tunnel while it is active, leaving it potentially unencrypted and exposed to ISPs and other parties.

"Data leaves the iOS device outside of the VPN tunnel," Horowitz writes. "This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6."

Horowitz claims that his findings are backed up by a similar report issued in March 2020 by privacy company Proton, which said an iOS VPN bypass vulnerability had been identified in iOS 13.3.1 which persisted through three subsequent updates to iOS 13.

According to Proton, Apple indicated it would add Kill Switch functionality to a future software update that would allow developers to block all existing connections if a VPN tunnel is lost.

However, the added functionality does not appear to have affected the results of Horowitz's tests, which were performed in May 2022 on an iPadOS 15.4.1 using Proton's VPN client, and the researcher says any suggestions that it would prevent the data leaks are "off base."

Horowitz has recently continued his tests with iOS 15.6 installed and OpenVPN running the WireGuard protocol, but his iPad continues to make requests outside of the encrypted tunnel to both Apple services and Amazon Web Services.

As noted by ArsTechnica, Proton suggests a workaround to the problem that involves activating the VPN and then turning Airplane mode on and off to force all network traffic to be re-established through the VPN tunnel.

However, Proton admits that this is not guaranteed to work, while Horowitz claims Airplane mode is not reliable in itself, and should not be relied on as a solution to the problem. We've reached out to Apple for comment on the research and will update this post if we hear back.

Popular Stories

iPhone 17 Pro Render Front Page Tech

iPhone 17 Pro Launching Later This Year With These 8 New Features

Tuesday March 4, 2025 3:15 pm PST by
While the iPhone 17 Pro and iPhone 17 Pro Max are not expected to launch until September, there are already plenty of rumors about the devices. iPhone 17 Pro's alleged design via Front Page Tech Below, we recap key changes rumored for the iPhone 17 Pro models as of March 2025: Aluminum frame: iPhone 17 Pro models are rumored to have an aluminum frame, whereas the iPhone 15 Pro and iPhone...
iPhone 16 Pro vs iPhone 17 Air Feature

iPhone 17 Air and 17 Pro Max Allegedly Same Size Apart From Thickness

Friday March 7, 2025 2:45 am PST by
Apple's all-new ultra-thin iPhone 17 Air shares the same dimensions as the iPhone 17 Pro Max, with the only difference being in the thickness of the devices, according to the leaker Ice Universe. Posting to their Weibo account, the Chinese leaker today claimed that the iPhone 17 Air and iPhone 17 Pro Max have identical body length, width, screen size, and bezels. "The only difference is the...
Apple Intelligence General Feature

Apple Delays Apple Intelligence Siri Features

Friday March 7, 2025 9:35 am PST by
Apple is delaying some of the Apple Intelligence Siri features that it expected to release in iOS 18, an Apple spokesperson said in a statement to Daring Fireball. Apple says that it is going to take longer than expected to roll out the more personalized Siri experience, and that these features will be rolled out "in the coming year.""Siri helps our users find what they need and get things...
Apple MacBook Air hero

Apple Says New MacBook Air Up to 23x Faster Than Intel-Based Model, But Read the Fine Print

Thursday March 6, 2025 1:46 pm PST by
Apple has a staggering marketing claim for the new MacBook Air with the M4 chip. Specifically, Apple says the new MacBook Air is up to 23x faster than the last Intel-based model. However, there are some details in the fine print to be aware of. First, Apple said it compared a new 2025 MacBook Air with a 10-core M4 chip and 32GB of RAM to a 2020 MacBook Air with a quad-core Intel Core i7...
iphone 17 pro asherdipps

iPhone 17 Pro Max Said to Be Thicker to Accommodate Larger Battery

Friday March 7, 2025 2:47 am PST by
Apple has increased the thickness of the upcoming iPhone 17 Pro Max compared to the current generation iPhone 16 Pro Max, claims the Chinese leaker known as Ice Universe. Apple is said to have increased the depth of the iPhone 17 Pro Max to 8.725mm, up from 8.25mm on the iPhone 16 Pro Max, which would be a 0.475mm difference in thickness. The increase "surely means a larger battery,"...
Apple MacBook Air hero

New MacBook Air Quietly Fixes This Decades-Long Design Oversight

Friday March 7, 2025 6:58 am PST by
In a move that probably won't make headlines but should delight detail-oriented Mac users everywhere, Apple has quietly corrected a 26-year-old design inconsistency on its keyboards. The Mute key, a staple on Mac keyboards since the PowerBook G3 'Lombard' debuted in 1999, has finally received a logical redesign on the new MacBook Air with M4 chip. As spotted by iCulture, the key now displays ...
2016 12 inch macbook feature

Apple Introduced Its Most Controversial MacBook 10 Years Ago Today

Sunday March 9, 2025 1:00 am PST by
Apple announced the infamous 12-inch Retina MacBook a decade ago today, an experimental new Mac that was as controversial as it was revolutionary. Apple unveiled the 12-inch MacBook on March 9, 2015, at the "Spring Forward" event in San Francisco, California. The event was primarily focused on the Apple Watch, which was being fully detailed ahead of its launch the following month, so the...
ipad air magic keyboard feature

Everything Apple Announced This Week

Wednesday March 5, 2025 4:03 pm PST by
It's been a busy week for Apple, with new products announced on Tuesday and Wednesday. We're now caught up on what's been rumored for a spring launch, so we thought we'd recap everything Apple came out with this week. Subscribe to the MacRumors YouTube channel for more videos. iPad Air Apple updated the iPad Air on Tuesday, updating it with the new M3 chip. The iPad Air still comes in...
Apple Summer 2025 Feature 1

Here Are the New Apple Products We're Expecting This Summer

Friday March 7, 2025 7:09 am PST by
Now that Apple has announced its new more affordable iPhone 16e, and new MacBook Air and Mac Studio models with M4 and M3 Ultra chips, we thought we'd provide a quick recap of what else we are expecting from the company in the summer months ahead. There are at least three product categories that we are hoping to see some movement in before summer is over, but of course, nothing is...

Top Rated Comments

xxray Avatar
34 months ago
I remember this getting reported on a couple years ago, and never getting an update. I just assumed it had been fixed.

I’m so glad my privacy has been compromised for the last 2.5 years and still is being compromised while Apple knows about it and does nothing about it.
Score: 64 Votes (Like | Disagree)
antiprotest Avatar
34 months ago
While other companies screw you on the cloud, Apple screws you "on device."
Score: 44 Votes (Like | Disagree)
BootsWalking Avatar
34 months ago
This may seem like a benign annoyance but some people rely on VPNs for very important situations, like reporters who need it to protect their sources or themselves.
Score: 44 Votes (Like | Disagree)
arkitect Avatar
34 months ago
Ah, well that probably explains why on my last trip to *cough* a country that shall remain unnamed, but where the Fruit company has many things manufactured *cough* my VPN went tits up and I was unable to use my favourite search engine.

FFS Apple!
Score: 31 Votes (Like | Disagree)
VulchR Avatar
34 months ago
Nice to know Apple was faffing about with CSAM stuff while this vulnerability just sat there. Perhaps Apple should refund those of us who pay for VPN services? I live in the UK, where pretty much everybody, at every level of government, can gain access to your browsing history unless you use a VPN.
Score: 29 Votes (Like | Disagree)
JM Avatar
34 months ago
Come on, y’all. Little ol’ Apple is doing the best they can. Bless their heart.
Score: 24 Votes (Like | Disagree)