This VPN can leak your data on iOS devices and Apple has known it for years
VPNs initially assign a new IP address to the device outside of its cellular or Wi-Fi connection. However, the iOS device somehow seems unaware that the VPN is active over time. It starts letting data leak through non-VPN connections. This is a big deal, especially for security conscious people. VPNs are touted as a method to increase privacy by routing your internet traffic through a trusted third party. The fact that it stops working properly over time – and that Apple has allegedly been aware of the issue since 2020 – is not good.
Horowitz explains in detail in his blog how he decided to test and verify several VPN providers. He points out that there are some VPN options that use a feature known as split-tunneling. This happens when traffic is shared over VPN and non-VPN connections to improve speeds and reliability. Naturally, this is not a safe way to use VPNs because you won’t be routing all traffic through the VPN. He also points out that his colleague Matt Volante discovered that iOS Exchange ActiveSync simply ignores the VPN connection. He prefers to switch directly to using a cellular data connection without using the VPN tunnel.
For years, Apple has tried to market its devices as the “safest”, but its claims are “shady” at best. For example, a Macintosh ad from the 2000s tried to convince people of the bold claim that computers simply don’t catch viruses. Obviously, anyone who understands how computers work, even at the most basic levels, knows that this is simply wrong for any computing device.
So far, there has been no confirmation as to whether or not ProtonVPN has followed Apple after its last update in October 2020. iOS has moved from major version 14 to major version 15 since the problem has been reported. According to Horowitz, the issue still occurs even on iOS version 15.6. Horowitz provides something of a security toolkit tips page called his Defensive IT Checklist. This is a pretty comprehensive list of best practices and tools to use or avoid. This is a great set of information to keep in mind for anyone using the internet today and we highly recommend adding it to your reading checklist for internet security best practices.
There hasn’t been any sort of update or recommendation from Apple yet. Hopefully the increased visibility of the issue will prompt them to make an update or statement in the future. We may also receive an update from Proton, as this is a primary source that initially confirmed the issue.