A few years ago, engineers at Proton Technologies, the company behind ProtonMail and ProtonVPN, talked about a bug in iOS 13.3.1 that prevents VPN apps from encryption of all traffic. As information security experts now report, the problem has not yet been fixed.
Let me remind you that we also wrote that Vulnerability in WebKit engine could redirect iOS and macOS users to scam sites, and also that For iOS was discovered a new exploit, with the help of which China traced the Uyghurs.
In 2020, Proton Technologies experts explained that when using a VPN, the operating system must close all existing Internet connections and restore them through a VPN tunnel to protect the user’s privacy and data. However, iOS for some reason can’t keep up with closing existing connections, leaving the traffic insecure as a result. For example, new Internet connections will connect through the VPN tunnel, but connections that were already active when the user connected to the VPN server will remain outside the tunnel.
Although insecure connections are becoming less common, the main problem is that the user’s IP address and the IP address of the server to which it connects remain open, and the server “sees” the user’s real IP address instead of the VPN server’s IP address.
As The Register now writes, Proton Technologies researchers continued to wait for the release of the patch for a very long time. From time to time, specialists have updated their report and say that there is still no fix, although Apple is aware of the problem. So, until recently, the last update in the text was dated October 19, 2020, and it reported that the vulnerability had not been finally fixed in iOS 13.4, 13.5, 13.6, 13.7 and 14.
Earlier this year, cybersecurity researcher and developer Michael Horowitz re-examined this situation and found that VPNs in iOS still do not work correctly and provoke data leaks.
Horowitz writes that back in May 2022, he sent an email to Apple announcing this leak. In July, he said that he exchanged several letters with the company, but this did not give any result:
In addition, at the end of last week, on August 18, 2022, Proton Technologies experts updated their old report again. They argue that the kill switch feature that Apple introduced to developers with the release of iOS 14 does block additional network traffic, but “some DNS queries from Apple services can still be sent outside of a VPN connection.”
We have repeatedly discussed this issue with Apple. Unfortunately, fixing the problem is very problematic. Apple stated that this behavior is “to be expected” and “Always On VPN is only available on MDM controlled devices.” We urge Apple to make a completely secure web experience available to everyone, not just those connected to a proprietary remote device management framework designed for enterprises.says Proton Technologies.