Skip to content

Another critical flaw in iOS 16's VPN implementation has been discovered

Around May time, a security expert made the discovery that iPhone VPN apps were leaking users' data and claimed that Apple was doing nothing to fix the issue.

Just a few months later, a new major bug in VPN apps for iOS has been discovered. This situation poses a genuine threat to the confidentiality of some individuals' most private data.

Recently, another specialist found that a number of Apple apps, including Health and Wallet, leak users' private information by communicating it outside of a secure VPN connection.

Unfortunately, this isn't on the shoulders of the top VPN services.

We can attest that iOS 16 does, in fact, interact with Apple's services outside of a secure VPN connection. Moreover, DNS requests are being leaked, as developer and security researcher Tommy Mysk tweeted on October 12th.

Using a virtual private network (VPN) should encrypt your data and route it through a different country's server before it reaches its final destination. This information transmission should be secure from intrusion by your Internet service provider or any other parties. You can also browse the web without worrying that your true IP address or location will be revealed to the sites you visit.

On iOS 16 Mysk conducted a small number of tests while connected to both the Proton VPN and Wireshark. His team's discovery that many Apple apps bypass the VPN tunnel and instead communicate with Apple servers came as a shock.

The most sensitive and private information is being stored and managed by the very applications that are leaking it. Apps like Health, Wallet, the Apple Store, Clips, Files, Find My, Maps, and Settings are included.

When asked about the motivations behind this flaw, Myks seems to assume that Apple does it on purpose.

"The iPhone's Find My and Push Notifications features, for example, need to maintain a constant connection to Apple's servers. There should be no problem, however, with tunneling this traffic through the VPN connection. He told 9to5Mac that the traffic is encrypted regardless and that they were surprised by the extent of the leak.

Those who use Apple products are not the only ones putting their personal information at risk, as Mysk's tests show.

That's a good question, and the short answer is yes. Even with Always-on and Block Connections without VPN enabled, Android will still make connections to Google services that are not encrypted.

We reported a few days ago on findings from a security audit conducted by Mullvad VPN, which found that Android devices are secretly undermining VPN services.

In this scenario, Android VPNs leak user information when checking for network compatibility over unsecured Wi-Fi.

While the VPN service promised to implement a way to disable these checks while the service was active, Google, as a major tech company, saw no reason to do so. Which is why Mullvad is now lobbying to have the VPN features described as "misleading" changed.