VPN services are available to iOS users, but they don’t seem to work as intended due to a bug in iOS that doesn’t allow all network connections to route through the VPN service as soon as it starts.
ProtonVPN found a vulnerability in iOS 13.3.1 that directly affects all VPN connections, no matter which application initializes the private tunnel. The issue persists in the latest iOS 13.4 version as well.
Most companies follow a responsible disclosure program, which means they first notify the developers of the affected app or the makers of a hardware component about an issue, giving them time to fix it. In this case, Apple was given 90 days before the vulnerability was made public. The company has yet to issue a fix, but they are working on options for mitigation.
As it turns out, when a user initializes a VPN connection, iOS doesn’t close all network connections, allowing them to remain online. At some point, the connection is reinitialized through the VPN, but it’s entirely up to the OS, and users have no choice.
While it might not seem like a big deal, imagine you’re trying to use a VPN, but its full functionality is crippled because of communications from other components, such as the messaging applications or the notification service.
“The VPN bypass vulnerability could result in users’ data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays),” says ProtonVPN in the notice.
“The more common problem is IP leaks. An attacker could see the users’ IP address and the IP address of the servers they’re connecting to,” the company said. “Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server. Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common.”
All VPN apps are affected by this vulnerability, as it’s impossible to kill the connections kept open by the OS. The only temporary solution is to run the VPN app, turn Airplane Mode on and off, then hope that all connections will then be rerouted through the tunnel. It’s impossible to say that it’s going to be completely effective, though.