VPN on iOS: Apple says security flaw is fixed, but ProtonVPN says no

Deepak Gupta
Deepak Gupta August 19, 2022
Updated 2022/08/19 at 8:54 PM

This week, the internet insistently debated the security flaw that the VPN application on iOS suffers. This problem is not new, but Apple insists the glitch is fixed.

Despite the Cupertino company claiming to have been offering a fix since 2019, the company Proton (owner of ProtonVPN) says it’s only a partial solution. The problem is still there. After all, who’s right?




VPN Security on iOS: Proton Denies Apple

Apple takes security very seriously. However, there are no perfect systems and the US company is a prime target for its popular privacy offering.

In that regard, in March 2020 An issue related to a major security breach flaw in iOS for any VPN service has been lifted.

Although some time has passed since the discovery of this flaw, supposedly Apple still hasn't fixed it. This is claimed by security expert Michael Horowitz. It states that VPN apps for iOS continue to have a serious security breach, due to the known issue since 2020.

According to the expert, as soon as a user activates a VPN application, it must immediately close all existing (non-secure) data connections and reopen them within the secure “tunnel”. This is an absolutely standard feature of any VPN service.

Horowitz did some testing and found that not all existing connections are closed when a VPN app is activated. This means that some data continues to be sent over an insecure link. This happened with several VPN apps for iOS on various devices.

In some cases, these insecure connections may persist for a few minutes. This scenario becomes a big problem because some people activate their VPN immediately before doing anything sensitive. In fact, Horowitz found that some of these connections can remain active for hours. This includes the notifications themselves push from Apple.

These tests supported such suspicion and claim raised by ProtonVPN in 2020. They discovered the issue in iOS 13.3.1 and say the glitch continues to this day.

Proton has notified Apple but says the tech giant has not taken any action.

Apple says it has been offering a fix since 2019

The matter for Apple appears to have been resolved since 2019. At least at WWDC 2019 the company announced what appeared to be a way for VPN app developers to solve the problem.

According you can see them in this videothere was a reference here to news made available to programmers.

var includeAllNetworks: Bool { get set }

If this value is true and the tunnel is not available, the system downloads all network traffic. The default value is false.

Nonetheless, as it is referred, for some reason, this option is turned off by default. It is not clear what this reason is, and what is the justification of the developers of the various applications of the tested VPNs not having implemented it.

In a counter-response, Proton mentioned being aware of this "fix" that was claimed. However, the company found that it was only partially effective. Insecure connections to some Apple services still exist after activating a VPN.

Proton founder and CEO Andy Yen said they made the decision to make the flaw public after Apple told them it wouldn't be offering a complete solution.

The fact that this is still an issue is disappointing to say the least. We first notified Apple privately about this issue two years ago. Apple refused to address the issue, which is why we revealed the vulnerability to protect the public.

The safety of millions of people is in Apple's hands, they are the only ones who can solve the problem, but given the lack of action over the last couple of years, we're not very optimistic that Apple will do the right thing.

Said CEO Andy Yen.

Apple, after all, is there a security problem or not?

Confusion seems to persist. Horowitz further pointed out that even iOS doesn't seem to know whether or not a VPN service is active. In fact, he left these images as an example:

This "novel" seems to be unfinished. Proton contacted Apple again and in the coming days we may have more news.

For now, Proton points out a problem that, according to Apple, does not exist. However, says Proton, the problem is no longer the size they initially said, but it remains a problem.

Let's wait and see what Apple will do or say next.

fbq('init', '1664527397186427'); // Insert your pixel ID here.
fbq('track', 'PageView');
(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook.net/pt_PT/sdk.js#xfbml=1&version=v2.3&appId=122308327859118";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));

Share this Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *