While Apple has built a credible stance regarding users’ privacy, a bug has recently made shown otherwise. As discovered, an unpatched vulnerability existed in recent iOS versions that stopped VPNs from entire traffic encryption. Hence, it triggered the possibilities of IP and information leak of those using VPNs.

iOS Vulnerability Stops VPN Encryption

Reportedly, ProtonVPN has recently disclosed a yet unpatched vulnerability in iOS halting traffic encryption by VPNs. Elaborating their findings in an advisory, they stated that the bug affected iOS 13 versions, specifically, iOS 13.3.1 and later. The bug existed because the said iOS versions do not stop existing internet connections on the device after connecting to a VPN. Ideally, the device operating system closes all existing connections as soon as a VPN connection gets established. Even after connecting to a VPN on vulnerable devices, the existing connections may continue outside the VPN for a brief period. Such connections may leak details about the users’ (if not encrypted otherwise), such as IP leaks.

Recommended Mitigations Until There is a fix

For now, the problem persists on all vulnerable iOS devices and will continue to exist unless Apple release a fix. This is because iOS does not allow VPNs to kill any existing connections. Nonetheless, researchers recommend a way to mitigate this issue. That is to simply turn on Airplane mode on the device to kill all existing connections. Then, the user may connect to the VPN, and then turn off Airplane mode. This will let the subsequent connections to establish via a VPN. Apple advises adjusting the VPN settings to ‘Always-On’ to avoid this issue. However, this may not work for third-party VPN apps since it requires the use of device management.