In May, a security expert first revealed that iPhone VPN apps were leaking user data, claiming Apple was doing nothing to fix it.
Now, just a few months later, another major problem has been discovered while using VPN software for iOS. In this case, some of people’s most sensitive information is in real danger.
Another expert recently discovered that many Apple apps, including Health and Wallet, send users’ private data outside of an active VPN tunnel.
However, the best VPN services are not to blame here.
We confirm that iOS 16 communicates with Apple services outside the active VPN tunnel. Worse, DNS requests are leaking. # Apple services that elude a VPN connection include Health, Maps, Wallet. We used @ProtonVPN and #Wireshark. Details in the video: #CyberSecurity # Privacy pic.twitter.com/ReUmfa67lnOctober 12, 2022
Apple apps bypass VPN encryption
“We confirm that iOS 16 communicates with Apple services outside the active VPN tunnel. Worse still, DNS requests are leaking, “Twitter developer and security researcher Tommy Mysk.
In theory, when you connect to a secure VPN, your data is encrypted and passed through one of its international servers before it reaches its final destination. This means that neither your Internet Service Provider nor any other third party should have access to this information flow. Likewise, the websites you visit will not be able to determine your real IP address or any other identifying information.
Mysk ran several tests on iOS 16 with both Proton VPN and Wireshark active. To their dismay, he and his team found that many Apple apps actually ignore the VPN tunnel and exchange data directly with Apple’s servers.
Worse, the apps that leak data are actually the ones that manage the most private and sensitive information. These are Health, Wallet, Apple Store, Clips, Files, Locator, Maps, and Settings.
When talking about the causes of this error, Myx seems to believe Apple is doing it on purpose.
“There are services on the iPhone that require frequent contact with Apple’s servers, such as Find My and Push Notifications. However, I have no problem tunneling this traffic on a VPN connection. Traffic is encrypted anyway ” said 9to5Mac (opens in a new tab)adding that they did not expect so much traffic to be exposed.
Not only VPN for iOS
As confirmed by Mysk during its tests, iPhone and iPad users are not the only ones at risk of their privacy.
“I know what you are asking and the answer is YES. Android communicates with Google services outside of an active VPN connection, even with the Always On and Block connections without VPN options, ”he said.
Just a few days ago, we reported on Mullvad VPN’s findings that Android devices were quietly undermining VPN services during a recent security audit.
In this case, Android VPNs reveal user data when checking connectivity when accessing certain Wi-Fi networks.
A VPN provider has pledged Google to add an option to override these controls when the VPN is active, but the big tech giant believes there is no need to. That’s why Mullvad is pushing now at least changing the “confusing” description of VPN-related features.