August 19, 2022: Apple responded to me yesterday.
Strange timing, in that it happened just after this issue got some publicity. Very reminiscent of how Facebook responded
just after their bad publicity having to do with leaking abortion messages.
The Apple response started with "The behavior you are seeing is expected." Take a second to let that sink in. I did not know how right I was when picking a title for this page - VPNs on iOS are indeed a scam.
Should it work this way is the real question. I think not and at least three VPN providers also feel this way.
Then too, Apple could have said this in May or June or July or earlier this month. This blog posting has been public the whole time.
Apple also said that the Always On VPN feature of MDM offers a fix. Mobile Device Management is over my head. It is used by large corporations to manage hundreds or thousands of iOS devices. That's pretty much everything I know about it. According to Apple, MDM lets the corporate IT techies force all data leaving an iOS device to go to the company. But, MDM is is not available to consumers.
Finally, Apple mentioned an API option that was introduced in iOS version 14 and pointed me to developer documentation at developer.apple.com. I am not an iOS developer, so I am not qualified to offer an opinion on this. Still, I can summarize.
- The new option is on/off flag that indicates whether iOS sends all data through the VPN tunnel, or not. So, clearly iOS 13 and earlier were the Wild Wild West for VPNs. When both ProtonVPN and Mullvad blogged about VPNs leaking, they were referring to iOS version 13.
- The flag is OFF by default. Interesting choice for a company that sells their stuff based on security and privacy.
- If the flag is ON, and the VPN connection dies, iOS drops all network traffic. A built in kill switch. Sounds great.
Apple suggested we ask our VPN providers if they are using this flag.
The flag is documented in a section on the NEVPNProtocol which is described as having settings common to both IKEv2 and IPsec VPN configurations.This begs the question: What about OpenVPN? What about WireGuard? I asked Apple this today.
For some perspective, this is what ProtonVPN
wrote about iOS version 14 in October 2020: "Although Apple has not fixed the VPN bypass problem directly on iOS 14..." That's interesting. Apple says the issue is fixed in iOS 14, Proton says it is not. Proton went on to say that iOS 14 has a Kill Switch, but they did not provide details, so its not clear if they are referring to the flag that Apple mentioned yesterday. However, at the time, they expected that the Kill Switch would block existing connections when a VPN was enabled.
- - - - - - - - - - - - -
Another development yesterday was that Proton updated their
blog posting, the one that first went up in March 2020:
" Recent testing has shown that while the kill switch capability Apple provided to developers with iOS 14 does in fact block additional network traffic, certain DNS queries from Apple services can still be sent from outside the VPN connection. "
So, this complicates things a bit. It raises the question of whether the data leaking out of the VPN tunnel is from new connections to the outside world or whether it is left over from old connections that were initially made before the VPN tunnel was created. I don't know that anyone looking at router logs can tell.
It is not clear, to me at least, if they did some additional tests of their own, or whether they are referring to my testing. That they only refer to DNS makes me think they did their own testing.
Proton also said:
"We've raised this issue with Apple multiple times. Unfortunately, its fixes have been problematic. Apple has stated that their traffic being VPN-exempt is 'expected' ... We call on Apple to make a fully secure online experience accessible to everyone, not just those who enroll in a proprietary remote device management framework designed for enterprises."
I hope to do another test, one that logs every domain access outside the VPN tunnel. Curious what that will show.