Your VPN might not be as secure as you think on iOS


A VPN, or virtual private network, is a hallmark of good cybersecurity defense. Most companies utilize some form of VPN these days, and with good reason. As Kaspersky puts it, “VPNs encrypt your internet traffic and disguise your online identity. This makes it more difficult for third parties to track your activities online and steal data. The encryption takes place in real time.” Put more simply, a VPN creates a kind of digital tunnel through which all your internet searches and data are funneled. The tunnel is fully encrypted, and internet service providers or hackers trying to snoop on you can’t tell what’s being transmitted through said tunnel. Given how much of our working lives are now remote, accessing corporate resources or protected data from non-secure locations is a necessity, and one of the best ways to ensure that transmission is protected is by using VPNs. But, a security flaw in iOS means your mobile VPNs might not be working as intended.

Data transmission outside the VPN tunnel

When you launch a VPN service on your iPhone, the assumption (and in all honesty, the way it’s supposed to work) is that your iPhone would sever all previous internet sessions and route all existing and future traffic through the VPN service so long as you have it enabled. But according to Michael Horowitz, a prominent computer security blogger and researcher in his continuously updated blog, “VPNs on iOS are broken.”

An article in Wired described Horowitz’s findings like this:

Any third-party VPN seems to work at first, giving the device a new IP address, DNS servers, and a tunnel for new traffic, Horowitz writes. But sessions and connections established before a VPN is activated do not terminate and, in Horowitz’s findings with advanced router logging, can still send data outside the VPN tunnel while it’s active.

The article continues, and corroborates what Horowitz has found via a prior blog post from the privacy-specific email and VPN company Proton:

Privacy company Proton previously reported an iOS VPN bypass vulnerability that started at least in iOS 13.3.1. Like Horowitz’s post, ProtonVPN’s blog noted that a VPN typically closes all existing connections and reopens them inside a VPN tunnel, but that didn’t happen on iOS. Most existing connections will eventually end up inside the tunnel, but some, like Apple’s push notification service, can last for hours.

So what does this mean for you?

The top takeaway is that no security solution is absolute in and of itself. VPNs are a massively important tool in safeguarding your company and its data especially when you have a distributed workforce requiring remote access to intranet resources behind a firewall. But the VPN isn’t the end-all and be-all of security — it’s but one element in a redundant arsenal of security tools to keep your business safe. Even some of the most advanced technology companies on earth — ahem, Apple — struggle with security protocols working exactly as intended all of the time.

That means if you’re a small- or medium-sized business, you may want to look into partnering with a managed service provider like Leverage to help design, implement, monitor and respond to cybersecurity risks and/or attacks. We’re experts in designing security postures and keeping our partners and their data safe while ensuring maximum business uptime (because you’re not making money if your business can’t be up and running). Give us a shout today, and let us show you how we can help your business stay safe now and long into the future.