VPNs on iOS are "broken" and Apple doesn't seem to be doing anything to fix it

Connecting to a VPN in iOS settings
(Image credit: Shutterstock)

A leading security expert and blogger has claimed iOS VPNs are failing to secure users' data inside the VPN tunnel. 

Data leaks have allegedly occured over the past two years, with Apple knowing about it but not acting to fix the bug on its latest iOS versions.  

This might come as a shock for users looking to protect their online privacy with one of the best iPhone VPN services.  

iOS VPN users at risk

"VPNs on iOS are broken," wrote Michael Horowitz in a blog post who has been updating since May 25. 

He ran a total of four tests from his iPad, every time changing iOS version (15.4.1, 15.5 and 15.6), VPN provider (he tried with ProtonVPN, OVPN and Windscribe), VPN protocol (IKEv2, WireGuard and OpenVPN) and server network.

Even though at first the VPNs all seem working, a deeper inspection revealed the same disappointing result: the software breached devices' IP address and other personal data. "Data leaves the iOS device outside of the VPN tunnel. This is not a classic/legacy DNS leak, it is a data leak," he concludes. 

Put it simply, iOS VPNs seem not to be able to kill existing sessions before establishing a secure connection. Exactly what you would expect from one of the most secure VPN services. 

Data leak

(Image credit: Shutterstock/dalebor)

Apple was aware of the bug since 2020

This vulnerability affecting iOS VPNs is sadly nothing new. Swiss-based security firm Proton first reported on it in 2020, claiming the data leak started at least in iOS 13.3.1. 

Now, two years later and a few iOS updates after, Apple appears not to have managed to fix this risky bug yet. 

At the time, Proton pointed out a few work-arounds to the problem. These are activating the Always-on VPN option - something that Proton suggests would not work on third-party apps - enabling the kill switch on your VPN app, and/or using the Airplane Mode to terminate all your existing connections.  

However, Horowitz suggests that neither the kill switch option nor the Airplane Mode trick were successful when he tried them out during his tests. 

"To date, roughly five weeks later, Apple has said virtually nothing to me," he wrote on July 3, suggesting that for the silicon valley giant it would be really easy to run the same test and investigate the matter.

"At this point, I see no reason to trust any VPN on iOS. My suggestion would be to make the VPN connection using VPN client software in a router, rather than on an iOS device." 

Chiara Castro
Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com