Thursday, Aug 18, 2022, 17:58 iOS: Software

Security Experts – VPN Apps For iPhone & iPad Are Useless

Over two years ago, a vulnerability was discovered in iOS that compromises VPN connection security. The consequence: Data traffic wasn't completely encrypted, making it at least theoretically accessible and recordable by third parties. Of course, this creates a significant risk for iPhone or iPad users on unsecured Wi-Fi networks using a VPN tunnel to establish connections to private or company networks. However, these aren't the only situations in which danger lurks.

Horowitz – VPNs On iOS Remain Just As Vulnerable As Before
Well-known VPN provider, ProtonVPN, discovered the vulnerabilities in iOS 13.3.1 in March 2020. Data privacy and security expert Michael Horowitz has now renewed the discussion of the matter and found something surprising: Apple still has yet to fix the vulnerability, which continues to represent a gaping hole in the security of iOS and iPadOS. He published the results of his tests in a long and rather detailed blog post on his website. Although Apple has known of the issue for quite some time and still has yet to provide a remedy, the cause has to do with the specific nature of the operating systems' behavior on iPhone and iPad. When a VPN app establishes a tunnel, iOS and iPadOS fail to end currently active processes – leading to portions of the data traffic remaining unencrypted under certain conditions.



Security Experts – VPN Apps Useless For iPhone & iPad
Horowitz used an iPad running iPadOS 15.6 and various VPN apps from third-party providers for his tests. According to the security expert, the traffic analysis revealed that the software was running smoothly as expected. However, the longer the VPN sessions were active, the more data was transferred outside the tunnel – becoming unprotected. Per his estimations, all iPhone and iPad VPN apps are essentially useless until Apple fixes the bug. Horowitz didn't test whether or not the VPN function found in the Settings on iPhone and iPad also presents with the error. Apple's iCloud Private Relay, introduced last year, was also not part of the analysis.

More articles you might enjoy to read: