Security researchers have uncovered a serious vulnerability in the latest stable version of iOS. This flaw allows certain Apple services to bypass virtual private network (VPN) connections, leaving users exposed to potential security risks. Despite the enhanced security features of iOS 16, including the much-touted Lockdown Mode, this issue persists and has even been exacerbated in the recent iOS 16.5.1 update.
The VPN Bypass Issue
The security researchers, Mysk, conducted extensive tests and discovered that a range of Apple services, including Apple Maps, Apple Push Notification, and even the supposedly secure Lockdown Mode were bypassing VPN connections. This means that certain network traffic from iOS devices is transmitted and received in an unencrypted form, regardless of whether a VPN connection is active. Consequently, users’ data, browsing history, and even their IP addresses are exposed to profiling, interception, snooping, and potential blocking.
iOS 16.5.1 still bypasses the VPN. New tests show that Apple Push Notification traffic completely ignores the VPN connection. Apple Maps sends many requests outside the VPN, including unencrypted DNS requests. This also happens in the Lockdown Mode. 🎬https://t.co/302I4nf8j9 pic.twitter.com/Q3GW14RYOO
— Mysk 🇨🇦🇩🇪 (@mysk_co) July 23, 2023
The security researchers have released a video on YouTube illustrating this.
The same vulnerability was also observed in the upcoming iPadOS 17 beta 3, further highlighting the persistence of this issue across multiple iOS versions. This revelation raises concerns about Apple’s commitment to promptly address security flaws and prioritize user privacy.
Interestingly, Mysk had previously reported a similar issue back in October 2022. At that time, Apple Health, Maps, and Wallet were found to be bypassing VPN tunnels, compromising the security of sensitive user data. It is uncertain when this practice of ignoring VPN connections began, but it appears to have been ongoing for an extended period.
Apple had previously suggested that VPN app developers utilize the “includeAllNetworks API” to ensure that their clients are using VPN connections properly. However, Mysk’s tests have shown that even VPN products like ProtonVPN, which has implemented this flag, are unable to prevent the bypassing behavior. This indicates that the issue lies within the core functionality of iOS itself.
Implications and Concerns
The implications of this VPN bypass issue are significant. With Apple services communicating outside of active VPN tunnels, users’ data and online activities are left vulnerable to surveillance and monitoring. The fact that some services which handle sensitive user information, are included in the list of apps bypassing VPN connections raises serious concerns about the privacy and security of iOS users.
Furthermore, the persistence of this issue in the latest iOS updates, including the highly anticipated iOS 16.5.1, is disheartening. It suggests that Apple has either overlooked or intentionally allowed certain traffic to bypass VPN configurations, without adequately communicating this decision to users and VPN vendors.
Related Issues on Android
Interestingly, the VPN bypass issue is not exclusive to iOS devices. Mysk researchers have also found that Android devices exhibit similar behavior when it comes to Google services. Even with options like “Always-on” and “Block Connections without VPN” enabled, Android devices still send data to Google services outside a VPN tunnel. This further highlights the need for comprehensive solutions to ensure online privacy across different platforms.
I know what you're asking yourself and the answer is YES. #Android communicates with #Google services outside an active VPN connection, even with the options "Always-on" and "Block Connections without VPN."
— Mysk 🇨🇦🇩🇪 (@mysk_co) October 12, 2022
I used a #Pixel phone running #Android13, its IP is 192.168.2.14 👇 pic.twitter.com/iookQCAHxG
Addressing the VPN Bypass Issue
As of now, there is no direct solution to completely eliminate the VPN bypass issue on iOS devices. However, here are a few practical suggestions:
- Use a VPN on a Wi-Fi Router: By routing all network traffic through the VPN at the router level, users can protect their devices from potential leaks. You can also incorporate DNS servers that respect your privacy and block most of the unwanted stuff. I recommend NextDNS or AdGuard Home DNS
- Choose a Reliable VPN Service: Choose a reputable provider that has a strong track record of protecting user privacy. Look for VPNs that have undergone independent audits and have transparent privacy policies.
- Enable DNS Leak Protection: Some VPN providers offer DNS leak protection as a feature. Enabling this option can help prevent DNS requests from being leaked outside the VPN tunnel.
- Stay Informed: Keep an eye on the latest updates and developments regarding the VPN bypass issue. Security researchers and privacy advocates often release information and recommendations to help users stay protected.
