iOS VPN: Data Leakage Enabled When?

(Many of the links in this article redirect to a specific reviewed product. Your purchase of these products through affiliate links helps to generate commission for Techsplurge.com, at no extra cost. Learn more)

Background on iOS VPNs

iOS devices, such as iPhones and iPads, come with built-in support for VPNs. Users can configure their VPN settings through the Settings app, selecting from various providers. Once set up, the VPN encrypts all internet traffic, ensuring sensitive data remains secure and private.

However, research has shown that this encryption is not always effective. Specifically, scenarios exist where traffic can bypass the VPN, exposing personal data to potential threats. Researchers have identified this vulnerability and highlighted it in various forums and discussions.

The Vulnerability Explained

The primary issue lies in how iOS handles TCP connections when a VPN is enabled. TCP (Transmission Control Protocol) is fundamental for reliable data transfer over the internet. When a VPN is activated, it is expected that all subsequent network traffic will be routed through the VPN tunnel, ensuring encryption and privacy.

However, a critical flaw exists in this process. If a TCP connection is established before the VPN is enabled, that connection continues to operate without using the VPN. This means any data transmitted through these pre-existing connections remains unencrypted and vulnerable to interception.

Example of VPN Leak

To illustrate this vulnerability, consider an example code snippet provided by Patrick Jackson from Disconnect.me. This code demonstrates how an iOS app can establish a TCP connection before enabling the VPN and then send data through that connection without encryption.

swift
// Example VPN leak from Network.framework

// Author: Patrick Jackson, https://disconnect.me

import UIKit
import Network

@main
class AppDelegate: UIResponder, UIApplicationDelegate {

var conn : NWConnection?

func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) -> Bool {

    let tlsParams = NWParameters.tls
    tlsParams.preferNoProxies = true
    tlsParams.prohibitedInterfaceTypes = [NWInterface.InterfaceType.wifi] // exclude Wi-Fi for this endpoint

    let host = "ip.disconnect.app" // tls enabled endpoint for checking external IP

    conn = NWConnection(host: NWEndpoint.Host(host), port: 443, using: tlsParams)

    conn?.stateUpdateHandler = { state in
        print( "State Update: ( state )" )
        if state == .ready{
            let method = "GET"
            let uri = "/" // API key included here for purposes for testing only
            let httpVersion = "HTTP/1.1"
            let headers = "Host: ( host )rn"
            let body = ""

            // construct HTTP request to send over readied connection
            let rawHTTPRequest = "( method ) ( uri ) ( httpVersion )rn( headers )rn( body )"

            self.conn?.send( content: rawHTTPRequest.data( using: .ascii ), completion: .contentProcessed( { error in
                self.conn?.receiveMessage { data, _, completed, error in
                    // cellular data needs to be enabled
                    // receiving the response may take several seconds

                    if let data = data, let resp = String( data: data, encoding: .ascii ) {
                        print( "HTTP Response: ( resp )") // .ascii? utf8
                    } else {
                        if let error = error {... 

In this example, the NWConnection is established before the VPN is enabled. The stateUpdateHandler is set to handle the state of the connection, and once it reaches the .ready state, an HTTP request is sent over the connection without using the VPN.

Implications of Data Leakage

The implications of this data leakage are significant. When a VPN is supposed to protect users' data by encrypting it but allows unencrypted traffic to pass through, it compromises the very purpose of using a VPN. This means sensitive information such as browsing history, login credentials, and other personal data can be intercepted by third parties.

Moreover, this vulnerability is not limited to just one type of data. Any data transmitted through these pre-existing TCP connections will be exposed, including emails, chat messages, and even financial transactions. The fact that Apple has been aware of this issue for over two years and has chosen not to fix it is particularly concerning, as it places millions of users' security in jeopardy.

Mitigation Strategies

While the vulnerability in iOS VPNs is concerning, there are steps users can take to mitigate the risk:

Airplane Mode

One effective way to ensure all traffic goes through the VPN is to use Airplane mode. By turning on Airplane mode and then enabling the VPN, users can ensure that all subsequent network traffic is routed through the VPN tunnel. This method disables cellular and Wi-Fi connections, forcing all traffic to go through the VPN.

VPN Configuration

Users should ensure that their VPN is configured correctly. This includes setting the VPN to "on demand" mode, which should ideally connect before any network traffic is established. However, as mentioned earlier, iOS does not always handle this correctly, leading to potential data leakage.

Third-Party VPN Apps

Using third-party VPN apps might provide better control over how the VPN is configured and used. Some third-party apps offer additional features like kill switches, which can automatically disconnect the internet if the VPN connection drops, preventing any data from being sent over an unencrypted connection.

Regular Updates

Keeping the operating system and VPN app up-to-date is crucial. Regular updates often include patches for known vulnerabilities, including those related to VPN data leakage.

Alternative Solutions

For those who cannot rely on their iOS device's built-in VPN functionality, alternative solutions like using a different device or a different operating system might be necessary. This could include using a laptop or a desktop computer with a VPN configured properly.

Final Thoughts

The vulnerability in iOS VPNs is a serious issue that highlights the need for better security practices in mobile devices. While Apple has not yet addressed this issue, users can take steps to mitigate the risk by using Airplane mode, ensuring proper VPN configuration, and considering third-party VPN apps. The fact that this issue has been known for over two years underscores the importance of transparency and accountability in software development, particularly when it comes to security.

In summary, while iOS VPNs are designed to enhance security and privacy, their current implementation leaves users vulnerable to data leakage. It is essential for both users and developers to be aware of these vulnerabilities and take proactive measures to protect their data.