In a blog titled, “VPNs on iOS are a scam,” a well-known security researcher accuses VPNs installed on an iPhone or iPad of leaking data while Apple turns a blind eye. In an article first published in May 2022, but updated regularly with new information, Michael Horowitz claims he was able to confirm the data leaks using multiple types of VPN and software from multiple VPN providers. He most recently tested with an iPhone running iOS 15.6.
A VPN (Virtual Private Network) should establish a secure and encrypted connection between a device and the internet—a private tunnel through which your data and communications can travel. However, Horowitz explains that all sessions and connections established prior to the VPN being activated should be terminated and this is not happening by default, which means that data can still be sent outside the VPN.
Horowitz investigated further to see if any iOS VPN providers had implemented an option called “Kill TCP sockets after connection,” which would kill these connections. As he writes, “I checked a handful of iOS VPN clients for other VPN providers and found none with an option about terminating existing connections/sockets when establishing the VPN tunnel.”
The main criticism here is that VPNs are often implemented because a user wants to protect their data, but if data is leaving their device and not travelling through the VPN tunnel the VPN is failing to do its job. It is possible that the problem is with iOS rather than the VPN clients, Hotowitz concedes.
However, Apple is yet to address the issue (at least not publicly) and it’s been two years since it was first raised. In March 2020, details of what appears to be the same bug was found to lead to a VPN data leak in both iOS 13 and 14 in a report by ProtonVPN. At that time John Dunn of Sophos wrote that a patch “might not appear for weeks.” Unfortunately it’s been a bit longer than that.
Until Apple responds, Horowitz suggests making the VPN connection using VPN client software in a router, rather than on an iOS device.
We have reached out to several VPN developers for comment. Nord, who claims its team is exploring options via which they “can make the situation better” had the following to say: “Apple maintains isolated persistent connection mechanisms, which are not accessible from the app space environment. That means that developers have a very limited (if any) ability to change them. That said, the statement, that VPN on iOS is useless is a bit bold. After a VPN connection is established, each new HTTP session will be encrypted and routed through a VPN tunnel. At the same time, all persistent connections are encrypted by Apple themselves. So while it is very disappointing that Apple chose to ignore industry’s calls for years, VPN services can still provide certain additional privacy and security benefits for iOS.”
