2 Years on, IOS VPNs still leak your IP Addresses with no bug fix in sight | Update: Apple says it's expected behaviour

[AlTech]

Summary

 

It's been over 2 years since Apple was notified and acknowledged a bug in how IOS handles VPNs and despite the bug leaking IP Addresses of VPN users Apple has taken no action to fix this.

 

The bug was first discovered by ProtonVPN in 2020 in IOS 13.3.1 . With no bug fix in sight, many are questioning whether Apple even cares.

 

 

Quotes

Quote

Back in early 2020, secure mail provider ProtonVPN reported a flaw in Apple’s iOS version 13.3.1 that prevented VPNs from encrypting all traffic. The issue was that the operating system failed to close existing connections.

This could potentially allow an attacker to identify a VPN user's source IP address. For those actually relying on hiding that data to avoid attention from a repressive regime or someone seeking private information, this is not a trivial concern.

 

Quote

"VPNs on iOS are broken," he wrote in an August 5 update to a May 25 post titled "VPNs on iOS are a scam." "At first, they appear to work fine. The iOS device gets a new public IP address and new DNS servers. Data is sent to the VPN server."

"But, over time, a detailed inspection of data leaving the iOS device shows that the VPN tunnel leaks. Data leaves the iOS device outside of the VPN tunnel. This is not a classic/legacy DNS leak, it is a data leak."

 

Quote

Horowitz reports emailing Apple about VPN data leakage in May when his post first went up. In July, he wrote, "Since then, there have been a number of emails between myself and the company (yes, plain old unencrypted email – no security at all). To date, roughly five weeks later, Apple has said virtually nothing to me. They have not said whether they tried to recreate the problem. They have not said whether they agree on this being a bug. They have not said anything about a fix."

 

Update:

Apple says this is expected behaviour: i.e. this isn't a bug, it's a feature.

 

The potential fix Apple proposes is optional and not mandatory for VPN providers. Apple says that customers should contact their VPN provider to ask whether the VPN provider has enabled this fix or not.

 

No matter whether the fix Apple recommends is enabled, Protonmail has found that DNS queries from Apple are exempt from this fix and thus VPN usage will steal leak IP Addresses.

 

Quote

The Apple response started with "The behavior you are seeing is expected." Take a second to let that sink in. I did not know how right I was when picking a title for this page - VPNs on iOS are indeed a scam.

 

Quote

Finally, Apple mentioned an API option that was introduced in iOS version 14 and pointed me to developer documentation at developer.apple.com. I am not an iOS developer, so I am not qualified to offer an opinion on this. Still, I can summarize.

1. The new option is on/off flag that indicates whether iOS sends all data through the VPN tunnel, or not. So, clearly iOS 13 and earlier were the Wild Wild West for VPNs. When both ProtonVPN and Mullvad blogged about VPNs leaking, they were referring to iOS version 13.
2. The flag is OFF by default. Interesting choice for a company that sells their stuff based on security and privacy.
3. If the flag is ON, and the VPN connection dies, iOS drops all network traffic. A built in kill switch. Sounds great.

Apple suggested we ask our VPN providers if they are using this flag.

 

Quote

" Recent testing has shown that while the kill switch capability Apple provided to developers with iOS 14 does in fact block additional network traffic, certain DNS queries from Apple services can still be sent from outside the VPN connection. "

 

My thoughts

Some people believe actions speak louder than words. In this case, I believe the lack of action does, and I have to wonder if a government agency or a country is putting pressure on Apple not to fix the bug. There's no reason for Apple to not fix the bug otherwise, unless Apple doesn't care about privacy and their whole privacy thing is a facade and a lie. Even if that were the case, and it was a facade, why wouldn't Apple want to keep up the facade? It does them no favours not fixing the bug.

 

In other news, water is wet and iPhones aren't private.

 

Sources

https://www.theregister.com/2022/08/19/apple_ios_vpn/

https://www.michaelhorowitz.com/VPNs.on.iOS.are.scam.php

[DrMacintosh]

The fact that Apple only has a workaround even for enterprise users probably means the flaw is either not leaking anything other than Apple log data...or the flaw is more fundamental in the iOS network stack and can't be easily fixed. 

 

I'd probably guess that the issue is the former. Your public IP is still going to be from the VPN at the end of the day. 

 

iOS devices can't torrent, so covering that up isn't a concern. You still get a IP from the VPN, so you can still geo-hop. You can still VPN into a network and etc. The only concern here is that someone digs around the network traffic, finds data that leaked, and is able to track it back to you. If the data that leaks is just system logs, which do user identifiable data destruction before leaving the phone, that's not always possible. 

[AlTech]

12 minutes ago, DrMacintosh said:

The fact that Apple only has a workaround even for enterprise users probably means the flaw is either not leaking anything other than Apple log data...or the flaw is more fundamental in the iOS network stack and can't be easily fixed. 

 

I'd probably guess that the issue is the former. Your public IP is still going to be from the VPN at the end of the day. 

With Apple's VPN Kill Switch setting (which only a VPN provider controls, besides Apple) turned OFF, IP addresses from any app or IOS itself is leaked. With it ON, only IOS leaks your IP Address. But this still means IP Addresses being leaked.

12 minutes ago, DrMacintosh said:

iOS devices can't torrent, so covering that up isn't a concern. You still get a IP from the VPN, so you can still geo-hop. You can still VPN into a network and etc. The only concern here is that someone digs around the network traffic, finds data that leaked, and is able to track it back to you.

Yes, meaning people who need VPNs for privacy or anonymity are compromised when using IOS.

[DrMacintosh]

5 minutes ago, AluminiumTech said:

Yes, meaning people who need VPNs for privacy or anonymity are compromised when using IOS.

A SIM and 3 cell towers make VPNs irrelevant from a privacy and anonymity perspective. There is no absolute privacy on the internet no matter what platform you use.  

[AlTech]

1 minute ago, DrMacintosh said:

A SIM and 3 cell towers make VPNs irrelevant from a privacy and anonymity perspective.

There is no absolute privacy on the internet no matter what platform you use.  

Well that's a problem for Apple cos they market themselves as iPhone being all about Privacy.

 

I would posit that someone using LineageOS, microG, and Orbot on Android can have privacy and using Qubes on a computer if all the data is routed through the Tor network.

[DrMacintosh]

4 minutes ago, AluminiumTech said:

Well that's a problem for Apple cos they market themselves as iPhone being all about Privacy.

And it still is the most private consumer operating system available. 

[dizmo]

19 minutes ago, DrMacintosh said:

A SIM and 3 cell towers make VPNs irrelevant from a privacy and anonymity perspective. There is no absolute privacy on the internet no matter what platform you use.  

SIMs aren't always tied to a person, phones have WiFi so cell towers aren't always a consideration either. Poor argument. 

[AlTech]

8 minutes ago, DrMacintosh said:

And it still is the most private consumer operating system available. 

And LineageOS isn't a consumer operating system? It's android with all the bad parts taken out

[AlTech]

8 minutes ago, dizmo said:

SIMs aren't always tied to a person, phones have WiFi so cell towers aren't always a consideration either. Poor argument. 

Getting someone's location via WiFi (assuming GPS, Location Services, and Bluetooth are off) is fairly trivial on IOS and Stock Android using WiFi Scanning. This involves your phone (either via an app or the OS) looking at what WiFi networks are near you to determine your location by cross referencing it with other devices connected to or near WiFi.

[DrMacintosh]

14 minutes ago, dizmo said:

phones have WiFi so cell towers aren't always a consideration either. Poor argument. 

No, the fact that phones have Wifi actually another way to track people. Using wifi also does not switch off your cellular radios, nothing does. 

[suicidalfranco]

Queue in every possible excuse to justify apple's choice

[Helpful Tech Witch]

28 minutes ago, DrMacintosh said:

No, the fact that phones have Wifi actually another way to track people. Using wifi also does not switch off your cellular radios, nothing does. 

um... what about the button that turns off cell service?

[AlTech]

3 minutes ago, Helpful Tech Witch said:

um... what about the button that turns off cell service?

Even with airplane mode on, the modem still infrequently pings cell towers on IOS (not 100% sure about Stock Android) according to privacy researchers.

[Sauron]

There's no excuse for Apple to not fix this and more importantly to not be transparent about it. If there is a "good" reason for this behavior from iOS the least they could do is explain it, especially in the developer documentation - at least this would prevent companies from selling things they can't actually deliver due to iOS limitations, but then I guess people would start asking why there are no VPNs on the app store. Adding the half-baked kill switch leads me to believe they know this is a problem and were hoping they could get VPN providers to shut up about it with an apparent solution.

 

I don't know if this should be taken as indication that iOS is overall bad for your privacy but I will say Apple has done very little to earn the reputation of being privacy focused other than repeating it constantly.

40 minutes ago, DrMacintosh said:

No, the fact that phones have Wifi actually another way to track people. Using wifi also does not switch off your cellular radios, nothing does. 

The idea of a VPN is that even if a malicious actor intercepts your packets in a wifi or cellular network they won't be able to tell what you're doing. Now, a VPN still requires you to trust a middle man in the VPN provider, but that's beside the point; VPNs are supposed to fix the exact problem you're describing.

15 minutes ago, AluminiumTech said:

Even with airplane mode on, the modem still infrequently pings cell towers on IOS (not 100% sure about Stock Android) according to privacy researchers.

I mean... privacy aside this seems like a safety issue if you're on a plane... though I imagine a single ping isn't that dangerous

[Blademaster91]

I'm not surprised people are trying to justify Apple for not fixing the bug, and since Apple wants to put more ads on iOS it isn't surprising if Apple doesn't want people using a VPN so they can get more data for themselves.

 

[hishnash]

2 hours ago, AluminiumTech said:

There's no reason for Apple to not fix the bug otherwise,

So I do not really see this as a bug since there are 2 use cases of a VPN

1) to hide your IP address

2) to connect into a corporate network

You cant just re-rout HTTP 1 and HTTP2 (HTTP3 with multi path could support this but almost no servers support this multi path spec even if they support HTTP3...) traffic over a new ip rout without breaking the TCP connection and establishing a new one that is why if an app is already open and has existing connections when you enable to VPN that VPN only applies to future VPN traffic.   

 

That is why on the Mac VPN apps tend to have an option that users can enabled that kills all open connections when you enable the VPN, but this is an option as some users use VPNs for things like accessing company network and they do not want there video call through zoom (that does not need the VPN) to die.  

That is why it is a feature that existing TCP connections are not automatically killed when you connect a VPN and devs need to put an option the the VPN app (as some do) for users to enable if they want currently open connections to be culled. 

[hishnash]

29 minutes ago, Blademaster91 said:

and since Apple wants to put more ads on iOS it isn't surprising if Apple doesn't want people using a VPN so they can get more data for themselves.

People using a VPN or not does not at all affect apples ability to collect data for adds. (a vpn does not stop the phone collecting info if it wants to), it stopes people who run web servers from jointing the dots but does not effect software running no the device at all! This is a key point to remember that VPN marketing might want you to forget.

Also worth noting the currently locations apple sells adds on iOS such as the App Store are not use usage data at all to target adds. This is a pain point for devs buying adds in the App Store were the only thing we can target is search terms.. That is all that is used to target that add.. you are will even be shown to users who have already installed your app if they search a term you have bid on, you cant do any other targeting and apple does not do any other smart targeting it is just base on what is in the search box. 

Adds shown in news etc are also targets based on what you search for. 

Currently the only ads apple displays that are a function of user behaviour are adds for apples own shows in Apple TV (and this is just based on your watching habits within the TV app). 

 

[DrMacintosh]

1 hour ago, Helpful Tech Witch said:

um... what about the button that turns off cell service?

Having cell data turned off does not turn off cell service. If your phone is part of a cellular network, it can be found. 

[hishnash]

38 minutes ago, Sauron said:

The idea of a VPN is that even if a malicious actor intercepts your packets in a wifi or cellular network they won't be able to tell what you're doing. Now, a VPN still requires you to trust a middle man in the VPN provider, but that's beside the point; VPNs are supposed to fix the exact problem you're describing.

55 minutes ago, AluminiumTech said:

That is 1 use case of a VPN the other use case of a VPN is to connect you into a corporate network, In fact given how many phones are deployed by companies I would not be surprised at all if in aggregate more phones are on corporate VPN networks that an `privacy preserving` networks. 

The corporate VPN is only supposed to get you in the core to the thing within the network, and typicly will not evenough rout traffic that is not for that network (eg you do not what your YouTube data stream to be piped over the companies network that is a waist of $) so when starting a VPN connection like this you don't want to kill all current TCP connections and thus drop all video/voice etc calls. 

[hishnash]

42 minutes ago, Sauron said:

Adding the half-baked kill switch leads me to believe they know this is a problem and were hoping they could get VPN providers to shut up about it with an apparent solution.

The fact is most VPN users do not want existing TCP connections to be killed since most VPN users are using VPNs to connect to corporate networks and you don't want your existing pulcic internet TCP connection to be culled when connecting to a corporate network.  That is why it should be a setting per VPN (just like it has been on macOS for years and years ... seems odd that these VPN providers knew they needed to have this on macOS as an option but did not use the exactly same api on iOS). 

[Sauron]

16 minutes ago, hishnash said:

The corporate VPN is only supposed to get you in the core to the thing within the network, and typicly will not evenough rout traffic that is not for that network (eg you do not what your YouTube data stream to be piped over the companies network that is a waist of $) so when starting a VPN connection like this you don't want to kill all current TCP connections and thus drop all video/voice etc calls. 

That's fine if it's an option and not the only way this is allowed to work.

16 minutes ago, hishnash said:

The fact is most VPN users do not want existing TCP connections to be killed since most VPN users are using VPNs to connect to corporate networks and you don't want your existing pulcic internet TCP connection to be culled when connecting to a corporate network.  That is why it should be a setting per VPN (just like it has been on macOS for years and years ... seems odd that these VPN providers knew they needed to have this on macOS as an option but did not use the exactly same api on iOS). 

Must be because it wasn't an option until iOS 14 and even now it doesn't actually do what it says it does.

[hishnash]

54 minutes ago, Sauron said:

That's fine if it's an option and not the only way this is allowed to work.

There is, and alway has been an option, just not using the VPN api but using the network extensions api (I know has I have developed tools that use this using a `Packet Tunnel Provider`).  Doing this was always a little complex as you needed to explicitly send a fin package back to the app so that it correctly closed its connections and created new ones otherwise many apps would just sit there thinking there was some massive network latency until the connection timed out (that depends on the devs of course setting a timeout many do not).  Not sure how the new api apple are offering might well be less complex than this... but all the VPN providers almost certainly already have code that does this as they tend to drop connections on macOS and that is the only way to do that without breaching the sandbox. 

And for DNS there is a seperate api you can use to override the DNS target (this is somthign some VPN providers already do but I expect most did not bother to look at the docs). I have also used this api and while it takes about 1 second to apply it works for all future DNS queries (but does not clear the DNS cache so resolved host names pre-connection are still used by apps since apps tend to have there own use-space DNS cache that they do not clear this is the same on all platforms!). 


I expect the VPN providers having issues on iSO are the ones using the VPN profile api that is clearly designed (and documented) for use by corporate manage to deploy a VPN setting directly to the phone (without even needed an app) the app in this model does not do much other than send some VPN config to the OS (this can be loaded from a web page or other place as well). This config is most commonly used by companies sharing VPN settings to their staff, but sure it is simpler to implement than building a Packet Tunnel extension and a DNS extension but does not provide the same level of controle.

[NF-F12]

Never been a fan of on-device software VPN connections, much better to implement at the router.

[hishnash]

16 minutes ago, NF-F12 said:

Never been a fan of on-device software VPN connections, much better to implement at the router.

Yer then it is always on so you don have issues like this, the issue here it the transition from not on a VPN to on a VPN and the question as to if that should kill all current connections or not and that in the end depends on the use case of the VPN your are connecting to and the services that are currently connected.

[AlTech]

19 hours ago, hishnash said:

People using a VPN or not does not at all affect apples ability to collect data for adds. (a vpn does not stop the phone collecting info if it wants to), it stopes people who run web servers from jointing the dots but does not effect software running no the device at all! This is a key point to remember that VPN marketing might want you to forget.

Some VPN providers run software to block out ADs if you toggle the feature on in the app.

19 hours ago, hishnash said:

Also worth noting the currently locations apple sells adds on iOS such as the App Store are not use usage data at all to target adds. This is a pain point for devs buying adds in the App Store were the only thing we can target is search terms.. That is all that is used to target that add.. you are will even be shown to users who have already installed your app if they search a term you have bid on, you cant do any other targeting and apple does not do any other smart targeting it is just base on what is in the search box. 

Adds shown in news etc are also targets based on what you search for. 

Currently the only ads apple displays that are a function of user behaviour are adds for apples own shows in Apple TV (and this is just based on your watching habits within the TV app).