>
It was sometime in May when a security expert first revealed that iPhone VPN apps were leaking users’ data, claiming that Apple was doing nothing to fix it.
Now, just a few months later, another major problem has been found when using VPN software on iOS. In this case, some of people’s most sensitive information is really at risk.
Another expert recently discovered that many Apple apps, including Health and Wallet, send users’ private data outside of an active VPN tunnel.
However, the best VPN services are not to blame here.
We confirm that iOS 16 does communicate with Apple services outside of an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet. We used @ProtonVPN and #Wireshark. Details in the video: #CyberSecurity #Privacy pic.twitter.com/ReUmfa67lnOctober 12, 2022
Apple Apps Bypass VPN Encryption
“We confirm that iOS 16 does communicate with Apple services outside of an active VPN tunnel. Worse, it leaks DNS requests,” developer and security researcher Tommy Mysk tweeted on Oct. 12.
Theoretically, when you connect to a secure VPN, your data is encrypted and passed through one of the international servers before reaching its destination. This means that neither your ISP nor any other third party should have access to this information flow. Likewise, the websites you visit cannot define your real IP address or other identifying details.
Mysk ran a few tests on iOS 16 with both Proton VPN and Wireshark active. To his dismay, he and his team learned that many Apple apps actually ignore the VPN tunnel and exchange data directly with Apple servers.
Even worse, the applications that leak data are actually the applications that manage the most private and sensitive information. These are Health, Wallet, Apple Store, Clips, Files, Find My, Maps, and Settings.
Speaking of the reasons behind this bug, Myks seems to believe that Apple is doing this intentionally.
“There are services on the iPhone that require regular contact with Apple servers, such as Find My and Push Notifications. However, I see no problem with tunneling this traffic into the VPN connection. The traffic is encrypted anyway,” he told 9to5Mac (opens in new tab)adding that they did not expect such amount of traffic to be exposed.
Not just iOS VPN
As Mysk confirms during his testing, iPhone and iPad users aren’t the only ones putting their privacy on the line.
“I know what you’re asking yourself and the answer is YES. Android communicates with Google services outside of an active VPN connection, even with the Always-on and Block Connections without VPN options,” he said.
Just a few days ago, we reported on Mullvad VPN’s findings that Android devices are quietly undermining VPN services during the latest security audit.
Here, Android VPNs expose users’ data while performing connection checks when accessing some Wi-Fi networks.
The VPN provider promised Google to add an option to opt out of these checks when the VPN is active, but the big tech giant believes it isn’t necessary. This is why Mullvad is now pushing for at least changing the “misleading” description of the VPN-related features.