The duo of security researchers called ‘Mysk’ report that their tests show that the latest stable version of iOS, 16.6, and the one before it, 16.5.1, still bypass VPNs.
The services found to bypass VPN connections include Apple Maps and Apple Push Notification, while even the security-bolstered “Lockdown Mode” isn’t excluded from the dangerous behavior.
This means that Apple iPhone devices send and receive some network traffic in unencrypted form regardless of whether the user has enabled a VPN connection, leaving them exposed to limited profiling, traffic interception, snooping, browsing history logging, and blocking.
The same peculiar behavior was confirmed on iPadOS 17 beta 3, a special iOS version for Apple tablets, expected to be fully released in September 2023. The presence of the problem in multiple iOS versions, even the third beta of the upcoming major release, is disheartening when considering Apple’s priority in fixing the issue.
Mysk first discovered and reported the issue of Apple services communicating outside active VPN tunnels, and leaking DNS requests, in October 2022. The services found to ignore VPN tunnels back then were Apple Health, Maps, and Wallet, which carry sensitive user data. Possibly, Apple has set iOS devices to bypass VPN connections for some data exchanges for years, although it’s unclear when this practice started.
Previously, the tech giant suggested that VPN app developers should ensure that their clients use and set the “includeAllNetworks API,” however, Mysk’s tests showed that even with Proton VPN that sets this flag, the bypassing still occurs. In fact, the same behavior is observed across all VPN products the researchers tested on the iOS.
Apple seems to have made the decision to continue routing some traffic outside active VPN configurations, overriding user settings potentially due to security, functionality, or other reasons. However, this decision does not appear to have been adequately communicated to VPN vendors and users, causing confusion within the community regarding the scope and effectiveness of their iOS VPN tools.
RestorePrivacy has contacted Apple for a comment on the above, asking if they plan to change the VPN exclusion behavior in a future version of the iOS, but we have not received a response by publication time.
Despite using a VPN, many applications on Android, including WeChat and WhatsApp, will still access your actual location even if you use a GPS location spoofer. However, it appears that no one is criticizing Android for this issue.
What does have you do with Apple?
Mullvad has known about this for years:
https://mullvad.net/en/blog/2020/5/4/ios-vulnerability-puts-vpn-traffic-risk/
How to mitigate the iOS vulnerability
Internet connections that are established after connecting to a VPN are unaffected, but connections that are already running are at risk.
To ensure that all of your traffic is secure, do the following:
Connect to Mullvad VPN.
Enable Airplane Mode.
Turn off Wi-Fi if it’s on.
Disable Airplane Mode.
As noted and linked in the article, Proton also pointed this issue out years ago in March 2020, I believe before Mullvad.