It happened in May when a security expert first revealed that iPhone VPN apps were leaking user data, claiming that Apple was doing nothing to fix it.
Now, just a few months later, another major problem has been encountered while using the VPN software on iOS. In this case, some of people’s most sensitive information is in real danger.
Another expert recently found that many Apple apps, including Health and Wallet, send users’ private data out of an active VPN tunnel.
However, the best VPN services aren’t the ones to blame here.
We confirm that iOS 16 communicates with Apple services outside of an active VPN tunnel. Worse still, it loses DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet. We used @ProtonVPN and #Wireshark. Details in the video: #CyberSecurity #Privacy pic.twitter.com/ReUmfa67ln12 October 2022
Apple apps bypass VPN encryption
“We confirm that iOS 16 communicates with Apple services outside of an active VPN tunnel. Worse still, it loses DNS requests,” developer and security researcher Tommy Mysk tweeted on October 12.
In theory, when you connect to a secure VPN, your data is encrypted and passed through one of its international servers before it reaches its destination. This means that neither your ISP nor any other third party should be able to access this flow of information. Likewise, the websites you visit will not be able to define your real IP address or other identifying details.
Mysk ran some tests on iOS 16 with Proton VPN and Wireshark active. To his dismay, he and his team discovered that many Apple apps actually bypass the VPN tunnel and exchange data directly with Apple’s servers.
What’s worse, the applications that lose data are actually the ones that handle the most private and sensitive information. These are Health, Wallet, Apple Store, Clips, Files, Find My, Maps, and Settings.
Speaking of the reasons behind this bug, Myks appears to believe that Apple is doing it intentionally.
“There are services on the iPhone that require frequent contact with Apple’s servers, such as Find My and Push Notifications. However, I don’t see any problems tunneling this traffic into the VPN connection. The traffic is still encrypted,” said 9to5Mac. (opens in a new tab)adding that they did not expect such an amount of traffic to be exposed.
Not just iOS VPN
As Mysk confirms during its tests, iPhone and iPad users aren’t the only ones risking their privacy.
“I know what you are wondering and the answer is YES. Android communicates with Google services outside of an active VPN connection, even with Always On and Block connections without VPN options,” he said.
Just a few days ago, we reported Mullvad VPN’s findings that Android devices are silently undermining VPN services during the latest security audit.
Here, Android VPNs expose user data while performing connectivity checks when accessing some Wi-Fi networks.
The VPN provider has promised Google to add an option to forgo these controls when the VPN is on, but the big tech giant believes this isn’t necessary. This is why Mullvad is now pushing at least by changing the “misleading” description of its VPN-related features.