In a blog titled “VPNs on iOS are a scam,” a well-known security researcher accuses VPNs installed on an iPhone or iPad of leaking data while Apple turns a blind eye. In an article first published in May 2022, but updated regularly with new information, Michael Horowitz claims he was able to confirm the data leaks using multiple types of VPN and software from multiple VPN providers. He most recently tested with an iPhone running iOS 15.6.
A VPN (Virtual Private Network) should establish a secure and encrypted connection between a device and the internet—a private tunnel through which your data and communications can travel. However, Horowitz explains that all sessions and connections established prior to the VPN being activated should be terminated and this is not happening by default, which means that data can still be sent outside the VPN.
Horowitz investigated further to see if any iOS VPN providers had implemented an option called “Kill TCP sockets after connection,” which would kill these connections. As he writes, “I checked a handful of iOS VPN clients for other VPN providers and found none with an option about terminating existing connections/sockets when establishing the VPN tunnel.”
The main criticism here is that VPNs are often implemented because a user wants to protect their data, but if data is leaving their device and not travelling through the VPN tunnel the VPN is failing to do its job. It is possible that the problem is with iOS rather than the VPN clients, Horowitz concedes.
However, Apple is yet to address the issue (at least not publicly) and it’s been two years since it was first raised. In March 2020, details of what appears to be the same bug was found to lead to a VPN data leak in both iOS 13 and 14 in a report by ProtonVPN. At that time John Dunn of Sophos wrote that a patch “might not appear for weeks.” Unfortunately it’s been a bit longer than that.
Until Apple responds, Horowitz suggests making the VPN connection using VPN client software in a router, rather than on an iOS device.
The VPN companies’ response
We have reached out to several VPN developers for comment.
Nord, which claims its team is exploring options via which they “can make the situation better,” had the following to say: “Apple maintains isolated persistent connection mechanisms, which are not accessible from the app space environment. That means that developers have a very limited (if any) ability to change them.
“That said, the statement, that VPN on iOS is useless, is a bit bold. After a VPN connection is established, each new HTTP session will be encrypted and routed through a VPN tunnel. At the same time, all persistent connections are encrypted by Apple itself. So while it is very disappointing that Apple chose to ignore industry’s calls for years, VPN services can still provide certain additional privacy and security benefits for iOS.”
Surfshark, meanwhile, sent us this statement:
“Surfshark is a trusted cybersecurity company. Ensuring our products’ security and customers’ privacy is our core goal.
“Our team is looking into all the options to mitigate any risks identified by security researchers. That being said, Apple has an isolated network environment, and because of that, external developers have little ability to fix vulnerabilities in third-party software. Nevertheless, Surfshark’s VPN encrypts each new HTTP session; thus, we can ensure maximum safety from our side.
“Additionally, Apple devices have encryption features to safeguard user data. Also, to avoid any leaking possibilities due to third-party software or operating systems, such as iOS, we always recommend setting up the VPN directly on your router.”