An unpatched flaw in iOS 13.3.1 and later could prevent VPNs from encrypting all traffic, according to security researchers.
In a blog post by Proton VPN, the iPhone operating system does not close existing connections. Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel, the report said.
The firm said that one example of this is Apple’s push notification service, which maintains a long-running connection between the device and Apple’s servers. But the problem could impact any app or service, such as instant messaging applications or web beacons.
“The VPN bypass vulnerability could result in users’ data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays). The more common problem is IP leaks. An attacker could see the users’ IP address and the IP address of the servers they’re connecting to. Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server,” an advisory stated.
Researchers said that those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common.
They warned that neither ProtonVPN nor any other VPN service can provide a workaround for this issue because iOS does not permit a VPN app to kill existing network connections.
“Internet connections established after you connect to VPN are not affected. But connections that are already running when you connect to VPN may continue outside the VPN tunnel indefinitely. There is no way to guarantee that those connections will be closed at the moment you start a VPN connection,” said researchers.
An alternative workaround is to use Always-on VPN. “This method requires using device management, so unfortunately it doesn’t mitigate the issue for third-party applications such as ProtonVPN,” said researchers.
Sam Bakken, senior product marketing manager at OneSpan, told SC Media UK that this latest discovery shows that mobile app developers need to take extra steps to bake security features into the apps themselves.
“Securing apps through technology such as in-app protection, device binding and secure communication channels and then also gaining visibility into jailbreak and root status and the app’s runtime environment can fortify a mobile app even in risky environments such as jailbroken phones so that the app can be intelligent about what it will and will not do in those situations,” he said.
Mark James, head of technical sales and training at ESET, told SC Media UK that one of the issues we have when we come to trust security technologies is falling into the habit of always thinking that they are 100 percent safe.
“Instead, we need to always be mindful that anything software-related could, in some extreme circumstances, be vulnerable or indeed fail. With that being said, it’s very uncommon for well-known security applications to let us down, in this instance we need to wait until Apple fix the issue from their end. They have issued a resolve, which is to use their own “always-on vpn”. This is done on the device by installing the correct profile, and will stay active until said profile is uninstalled. However, this will, of course, not help the issue with other third party VPN solutions,” he said.