Proton Technologies, the company behind the privacy-focused ProtonMail and ProtonVPN services, this week disclosed the existence of a vulnerability in Apple’s iOS mobile operating system that prevents VPN applications from encrypting all traffic.
The flaw was discovered by a member of the Proton community in iOS 13.3.1, but Apple has yet to release a patch and the issue impacts even the latest version, 13.4.
Apple is reportedly working on a fix, but Proton says it has disclosed the bug because it believes its community and other VPN services providers should be aware of its existence.
When a VPN is used, the device’s operating system should close all existing internet connections and reestablish them through a VPN tunnel to protect the user’s data and privacy. However, iOS apparently fails to close existing connections, which results in traffic remaining unprotected.
“Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel,” Proton explained in a blog post.
“One prominent example is Apple’s push notification service, which maintains a long-running connection between the device and Apple’s servers. But the problem could impact any app or service, such as instant messaging applications or web beacons,” it added.
While this can expose users’ traffic if their connection is not made over HTTPS, unprotected connections are increasingly rare. However, the bigger problem is that the user’s IP address and the IP of the server they are connecting to remain exposed, and the server will see the user’s real IP instead of the VPN server’s IP.
“Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common,” Proton explained.
The company pointed out that new internet connections will connect through the VPN tunnel, but connections that are running when the user connects to the VPN server will remain outside the tunnel.
This VPN bypass vulnerability does not have a CVE identifier, but it has been assigned a CVSS score of 5.2, which puts it in the medium severity category.
Until Apple releases a patch, Proton has proposed a workaround, which involves enabling airplane mode on the device — this will kill all internet connections — after connecting to a ProtonVPN server. Once airplane mode is turned off, the device should reconnect to the VPN server and all traffic should be protected.
Apple also recommends use of its Always-on VPN feature, which forces applications to connect only through a VPN. However, this feature is only available to organizations — it requires the use of a device management service — and it only works with certain types of VPNs.
SecurityWeek has reached out to Apple for comment and will update this article if the company responds.