Does iOS VPN Leak?

This AppleInsider article reports that iOS VPNs leak data and cites this evidence:

Should I be concerned?

For me, the author lost all credibility by not knowing that all 17.* addresses belong to Apple.

Concerned, no, but my question is always, why do you need to use a VPN? There are only a couple of reasons why anybody needs one

  • To allow access to a private network such as a school or business when you are not on site.
  • To allow access outside of a country with a repressive government that has restricted Internet access or to access something like your Netflix streaming account when you are in a different country.

Use when on a public WiFi has become far less important with the advent of https end-to-end encryption to most any site you frequent these days.

2 Likes

Or if you have a static IP, which I have at home. Also I trust some VPNs more than I trust Centurylink, which is my dsl provider, but not my isp (a grandfathered local one-man shop).

It’s not perfect though by any means. Some sites, including some purely informational .gov sites, local and federal, won’t complete a connection until I turn off the VPN long enough to let them set a cookie. Other sites, including CDC, won’t let me connect at all via protonvpn (haven’t tried others), which is just stupid. I have it set to use US IPs, so it isn’t a geofence, though that would still be stupid.

1 Like

Unless you’re still using dial-up Internet, your address is mostly-static anyway. Although my Comcast account provides dynamic IP addresses, I’ve found that it actually changes very infrequently.

For the most part, I agree with your assessment, though there is no shortage of websites that discourage reliance on HTTPS alone, such as this one.

I’ve been told by people I trust that many HTTPS websites should not be trusted because the developer may have made errors in implementation. When I press these people, I don’t get specific answers but instead I’ve been told to read There’s a War Going on but No One Can See It for examples of how insecure HTTPS websites can be. Unfortunately, I’ve not looked at this book yet.

I would add to your list of reasons for using a VPN various services such as GPS. For example, I visited China several years ago and found that maps from the local Google Maps were not usable whereas when I used a VPN terminating at my home in the United States, my maps were perfect. (Yes, this was many years ago when Google still operated in mainland China. I’ve read that the government adds random location errors to GPS data to interfere with people trying to organize protests.)

DNS is another service that is improved by using a VPN. As I understand, DNS usually operates in clear text so DNS queries and responses can be sniffed from WiFi that is not secured as well as all downstream routers and other infrastructure. With a VPN, all DNS queries are encrypted within the VPN’s tunnel and therefore privacy is ensured for this portion of the connection to my DNS of choice. I also worry about correct routing to a trustworthy DNS. For example, even if I’ve set my device to use a specific, trusted DNS, what’s to prevent an untrusted router from rerouting my DNS request to a poisoned DNS server? Hopefully the imposter bank site that the poisoned DNS sends my browser to will not have a valid digital certificate but should I rely on this; isn’t it possible to get a low-grade digital certificate with any domain name and then bind the domain name to a rogue server masquerading as my bank? Am I being paranoid?

A final example of the benefit of a VPN has to do with the coding of HTML pages themselves. As I understand, in the past, an HTTPS connection to a website did NOT ensure that all the page’s assets, e.g., images, were retrieved with an HTTPS connection. For example, if the HTML markup contained an HTTP source attribute for an IMG tag, then this image would be retrieved using HTTP, not HTTPS.

In short, an HTTPS channel can be bulletproof and still HTTPS doesn’t provide either privacy or security for communication outside of this channel. Moreover, even for traffic that is encrypted using HTTPS, users are vulnerable targets to signal intelligence because the IP address of every HTTPS connection is sent in the clear.

Well, he said under “Where this stands?” that he learned about this fact on 31 July.

The problem for me is rather that he calls it a scam. Doing so indicates malicious intent, by Apple in this case. I think that’s going a bit far.

1 Like

If I’m understanding properly, it’s possible for a connection that exists when the VPN is turned on to remain in use outside the VPN. That seemed to be only Apple’s push notification service and in one case, Gmail, but the more general point is that it’s possible.

Toggling Airplane mode on and off may be a workaround.

Regardless, this would seem to be of concern only for those who use a VPN for security reasons and who have significant security concerns. If you’re not a high-value target, the likelihood of anyone trying to sniff your traffic and actually getting something useful out of the leaked data would seem vanishingly small.

Those who just use VPNs to access internal networks or to change their geolocation aren’t affected by this as far as I can see.

So, not good, but not a case of the sky falling.

3 Likes

To further expand on Nello’s comment about DNS:

Because of DNS queries, when you attach to public WiFi you’re giving the provider information about what sites you visit, even if you’re using HTTPS connections. This can be used to track an individual further, especially if, say, you browse the web site or use the app of the WiFi provider.

This is kind of insidious, in that the default behavior of iOS devices is to attempt to reconnect to WiFi SSIDs you have previously used. So if, for instance, you use Target’s WiFi one time, they will know when you reenter their store from then on, unless you turn the Auto-Join setting off.

Also, Nello wrote:

A final example of the benefit of a VPN has to do with the coding of HTML pages themselves. As I understand, in the past, an HTTPS connection to a website did NOT ensure that all the page’s assets, e.g., images, were retrieved with an HTTPS connection. For example, if the HTML markup contained an HTTP source attribute for an IMG tag, then this image would be retrieved using HTTP, not HTTPS.

This is not really an issue anymore. All major browsers now refuse to load HTTP (non-SSL) assets on an HTTPS (SSL-enabled) page, by default. It’s possible but difficult to get them to do it, though.

1 Like

One issue that stood out for me for me is his misunderstanding that Apple changed Airplane Mode and the WiFi switch in control center to leave WiFi turned on, but that you can simply toggle off Wifi in Settings / WiFi (then toggle it back on) and, while cellular data does turn off when you turn on Airplane Mode, you can do the same for cellular data in the control panel or in settings / cellular.

People were grumbling about this (well, the control center behavior when you “turn off” wifi) when it happened with iOS 11 four and a half years ago; I figured everyone who is at that level of technical understanding that they can do a traffic analysis knew that about iOS. Really the guys at Proton should have known that as well.

That said - I agree with the assessment that turning on VPN should route all traffic through the tunnel if the VPN is able to work that way. I can understand, maybe, Apple avoiding the tunnel for push notifications and iCloud syncing, but even that should be something the user can toggle.

2 Likes

So, it appears that the problem is that activating a VPN does not force existing connections to restart under the VPN. A suggested workaround is to force the connections to drop by temporarily going into Airplane mode. However, some commentators on the Ars Technica coverage noted that just toggling Airplane mode on and off doesn’t necessarily force connections to drop. Apparently, IOS devices don’t immediately drop their cellular and WiFi connections immediately when Airplane mode is entered. The claim is that the system waits for 5 seconds or so. That is done to allow those who accidentally enter Airplane mode may recover without damage So, according to these commentators, one should go into Airplane mode, take a few deep breaths, and then return to normal mode to assure that all existing connections have been dropped.

1 Like

Sorry if I’m missing some context here, but switching on Airplane Mode doesn’t affect Wi-Fi. At least on my iPhone 13 Pro Max running iOS 15.6. On my phone, the AM switch only turns off the cellular radio.

1 Like

Yes, you do need to turn off WiFi and Bluetooth separately if you wish. However, if you log press the Airplane mode button in the control center, a window will open up allowing you to quickly deal with each of those services (and Airdrop and personal hotspots).

1 Like

It’s always important to note the context. In this example, the author is simply pointing out that HTTPS doesn’t solve every security problem. But nobody (at least nobody who knows what he’s talking about) said it did.

HTTPS and VPN solve two different categories of problems and neither one is a replacement for the other.

I’d love to know what they have in mind. It is well known that some ciphers used by HTTPS have been broken and are no longer considered secure. Which is why modern web browsers have either removed support for them or make you jump through hoops in order to use them.

If a web site is using an old insecure cipher, a modern browser will either not let you connect or will warn you about it. If you care, you should let the site admins know so they can upgrade their server. If you don’t care, then you have enough knowledge to know that you shouldn’t divulge anything sensitive over the link.

It depends on whether you manually turned Wi-Fi off/on while in airplane mode in the past.

Long-press the airplane-mode button from control center to get its sub-options. Turn on airplane mode. You may see Wi-Fi, AirDrop and Bluetooth go off. Or not. Toggle them on or off as you like. When you exit airplane mode, they will all come on again. When you re-enter airplane mode, they will go to the state you set them to.

I think this makes a certain amount of sense. Airlines today usually permit Wi-Fi while in the air (and even offer their own services over an in-flight hotspot). So you should be able to enable Wi-Fi in airplane mode, and it should remember your preference for the next time you fly.

But it does mean you should not think of airplane mode as “all radios off”. Because it isn’t, and (I think) hasn’t been for quite some time.

Amusingly, this is also the case with my iPod Touch. Which makes far less sense, since it has no cellular radio. Turning on airplane mode while leaving Wi-Fi on for this device seems rather pointless to me.

2 Likes

“Unless you’re still using dial-up Internet, your address is mostly-static anyway”

Yeah, that’s basically why I haven’t had my isp switch me away from my routable statics. A fuss for only some gain, and if I get an itch to run a server again, it’s yet more fuss. I might try out a few other vpns, proton has some annoyances in addition to being blocked more than it should be.

Another article weighing in on the limited use cases for a VPN: