The iPhone VPN service still doesn’t seem to be running properly. A security researcher warns of leaks, especially from Apple’s own apps.
Apparently, Apple still hasn’t gotten a grip on problems with the VPN function of the iPhone. After there were reports in August about possible data leaks – i.e. content that did not flow through an active VPN tunnel as desired by the user – further errors of this type have now been discovered. Apparently, apps from Apple itself are particularly affected.
A hole in the tunnel
VPN services should actually be used on the iPhone to ensure that all data traffic is processed via the selected tunnel. The respective network operator or provider of a WLAN hotspot cannot gain insight into the user’s content. This is especially important for users in companies; but private users can also benefit from VPN services, for example in regions with strong surveillance.
Errors appeared here in iOS 15 up to version 15.6 – including iPadOS. Security researcher Michael Horowitz was able to prove to Apple that certain connections that existed before the VPN tunnel was established remain active for the entire system even after activation. These included Apple’s in-house push server and email providers, including Gmail. Similar bugs are said to have existed in iOS 13; as a possible workaround, it was suggested at the time to briefly activate the airplane mode. But even after that, some connections outside the tunnel remained.
It’s still leaking
In addition to the problems disclosed by Horowitz, the German-Canadian security researcher Tommy Mysk has now discovered a number of other leaks as part of renewed tests. These are even still available in iOS 16, which was only released in September. Mysk was able to prove that Apple services such as Maps, Wallet, and even the health app Health make data requests outside of the VPN. The Apple Store, Files app, Find My?, Settings, and Clips are also said to be affected. “Worse, DNS queries are also leaked,” writes the security researcher, who also develops apps himself. A video shows Mysk’s experiments with Wireshark.
The security researcher believes that Apple deliberately excludes its apps from the VPN connection. “But the amount of traffic we’ve seen is greater than we thought.” Services that frequently need to contact Apple, such as Find My? and push notifications, be one thing. But these can also be sent through the tunnel. If Apple itself sees a security problem in VPN applications, the group could declare them as browsers that require special entitlements, Mysk told 9to5Mac.