Currently, many mobile device users access VPN applications to obtain benefits such as savings on online purchases, exclusive access to the catalog of streaming platforms and download applications that are not available in their country of origin, however, these apss could affect your iPhone .
In August, a researcher at found a major flaw in iOS VPN apps, and a second researcher has now demonstrated another major issue.
The first problem was that opening a VPN app should close all existing connections, but it didn’t. The second is that many Apple apps send private data out of the VPN tunnel, including Health and Wallet.
How VPN apps should work on iOS
Normally, when you connect to a website or other server, your data is first sent to your mobile data provider . They then forward it to the remote server. That means your ISP can see who you are and what sites and services you’re accessing, and it also puts you at risk from rogue Wi-Fi hotspots.
Instead, one sends the data in encrypted form to a secure server. Your data is protected from the mobile data provider. All they can see is that you are using a VPN.
Similarly, the websites and servers you access do not gain access to your IP address, location, or other identifying data.
Do not close existing connections
The moment a VPN application is activated, it should immediately close all existing (non-secure) data connections and then reopen them within the “secure tunnel”. This is an absolutely standard feature of any VPN service.
However, it found that not only did this not happen reliably, but they shut down all existing unsecured connections.
Many Apple apps are excluded from VPNs
Developer and security researcher Tommy Mysk, looking at what IP addresses were being accessed when a VPN was active, found that many Apple apps ignored the VPN tunnel and instead communicated directly with Apple servers.
“We confirmed that iOS 16 communicates with Apple services outside of an active VPN tunnel. Worse still, it filters requests for . Apple services that escape the VPN connection include Health, Maps, Wallet…”
This means that all data sent to and from these servers is at risk of eavesdropping by ISPs or hackers who perform man-in-the-middle attacks, using easy-to-create fake Wi-Fi hotspots.
The apps that leaked data were:
- app store
- find me
Most or all of these applications handle extremely private information about iPhone users, ranging from health conditions to bank transactions.
On the other hand, Mysk also discovered that Android behaves in the same way with Google services.
“I know what you’re wondering, and the answer is YES. Android communicates with Google services outside of an active VPN connection, even with Always On and Block connections without VPN.”