Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

iOS bug prevents VPN apps from encrypting all traffic

The vulnerability, disclosed by a ProtonVPN user, impacts all VPN services on recent versions of iOS

Last updated

An unpatched bug present in iOS 13.3.1 and later could keep a virtual private network (VPN) from fully encrypting all traffic, leaving data and IP addresses exposed.

VPNs work by routing your internet traffic through a secure tunnel, keeping your browsing activity both private and encrypted. Apple's mobile devices, like iPhone and iPad, have long supported both employer-issued VPNs and third-party options available on the App Store.

But a security vulnerability disclosed by ProtonVPN and shared with Bleeping Computer could keep VPNs on iOS and iPadOS from working properly, potentially leading to data leaks.

Impacted versions of iOS, including the latest iOS 13.4, fail to close existing internet connections when a user connects to a VPN. Typically, when opening a VPN, the OS terminates all previous connections and automatically reestablishes links to original destination servers through the VPN tunnel. That process is not occurring in recent versions of iOS.

Instead, iOS keeps some existing connections alive outside of the VPN tunnel, where data isn't encrypted. These connections, which can remain open for minutes or hours, could potentially reveal a user's location, leak their IP address, or expose them and the servers they're communicating with to attack.

Normally, those risks are fairly benign for the average user, but ProtonVPN explains that the people who rely on VPNs the most may be vulnerable to the direst consequences.

"Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common," the company writes.

ProtonVPN offers Apple's push notifications, whose connections to Apple's servers aren't terminated when connecting to a VPN, as an example. But the VPN maker notes that the bug can affect any app running on a user's device.

The bug cannot be fixed by a third-party VPN app, since Apple's tight sandboxing restrictions on iOS prevent them from terminating existing connections.

According to Bleeping Computer, Apple is aware of the issue and is currently working on mitigating it. While Apple recommends users enable Always-on VPN, that feature won't work for those who use third-party VPN apps.

Until Apple issues a fix, ProtonVPN recommends enabling and disabling Airplane Mode to manually kill connections after connecting to a VPN. The VPN maker warns that the workaround isn't 100% effective, however.

The VPN bypass vulnerability was first discovered in 2019 by a security researcher who is part of the Proton community. Along with ProtonVPN, Swiss-based security company Proton is well-known for their privacy-focused email client, ProtonMail.



15 Comments

FileMakerFeller 6 Years · 1561 comments

And yet sometimes you want to keep the established connections intact and use the VPN only for a single task (like, say, checking work email that is normally hidden behind a firewall). I'm not the only one who dreams of being able to route traffic from a subset of apps through a different network interface; currently the options are to use a VM or have devices managed via MDM. I wouldn't necessarily classify this as a bug.

pulseimages 8 Years · 656 comments

I always keep my VPN on, nice to know it’s only kind of working. 

uroshnor 13 Years · 99 comments

This is only true for some kinds of VPN configuration (and its been around forever). If you set up with per-app VPN or the whole device always on VPN, this doesn't apply - in both of those cases if the VPN isn't up, the device thinks there's no network. Its only manual/on-demand configurations where its an issue.

cgWerks 8 Years · 2947 comments

And yet sometimes you want to keep the established connections intact and use the VPN only for a single task (like, say, checking work email that is normally hidden behind a firewall). I'm not the only one who dreams of being able to route traffic from a subset of apps through a different network interface; currently the options are to use a VM or have devices managed via MDM. I wouldn't necessarily classify this as a bug.

Yeah, it would be nice to be able to choose which way the VPN should work. If all the data is going over the VPN, I would think for people in danger could be more easily identified.

The other thing I don't like is that while you're trying to establish a VPN connection, your device has already probably communicated with all your major accounts over the unsecured network (ie. coffee shop, airport, etc.).

godofbiscuits 10 Years · 249 comments

I always keep my VPN on, nice to know it’s only kind of working. 

If you read the article you’d see that if you actually do keep it on all the time, you wouldn’t actually be affected.