Proton Technologies, the company behind the privacy-focused ProtonMail and ProtonVPN services, this week disclosed the existence of a vulnerability in Apple’s iOS mobile operating system that prevents VPN applications from encrypting all traffic.
The flaw was discovered by a member of the Proton community in iOS 13.3.1, but Apple has yet to release a patch and the issue impacts even the latest version, 13.4.
Apple is reportedly working on a fix, but Proton says it has disclosed the bug because it believes its community and other VPN services providers should be aware of its existence.
When a VPN is used, the device’s operating system should close all existing internet connections and reestablish them through a VPN tunnel to protect the user’s data and privacy. However, iOS apparently fails to close existing connections, which results in traffic remaining unprotected.
“Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel,” Proton explained in a blog post.
“One prominent example is Apple’s push notification service, which maintains a long-running connection between the device and Apple’s servers. But the problem could impact any app or service, such as instant messaging applications or web beacons,” it added.
While this can expose users’ traffic if their connection is not made over HTTPS, unprotected connections are increasingly rare. However, the bigger problem is that the user’s IP address and the IP of the server they are connecting to remain exposed, and the server will see the user’s real IP instead of the V ..
Support the originator by clicking the read the rest link below.
