Security researcher and iOS developer duo Mysk revealed on Monday that Apple’s iOS 16.1 allows certain apps to bypass virtual private network (VPN) tunnels.
Earlier this month, Mysk said iOS 16 exchanges data with Apple services outside active VPN networks and leaks DNS requests. Following the release of iOS 16.1, the duo ran tests and found that the update had exacerbated the issue.
“Now push notifications also bypass the VPN in the standard mode. The Lockdown Mode is the same,” Mysk wrote on Twitter. Push notifications are alerts that pop up on your phone, displaying updates from apps like email and social media.
Thankfully, it appears only Apple services can bypass a VPN connection. These Apple services include the Apple Store, Health, Maps, Wallet, and more.
Data Leaks Outside of VPN Tunnels
On October 12, the Mysk team found that Apple’s iOS 16, which comes with enhanced security features like Lockdown Mode, leaked traffic outside an active VPN tunnel. Lockdown Mode is designed to protect journalists, activists, and high-profile figures from cybercriminal malware such as Pegasus.
Technically, the leak means Apple services can communicate DNS queries outside of a user’s VPN connection, exposing their real IP address and other data.
“iOS allows DNS requests to escape the VPN tunnel, This is bad!” the researchers noted in a video.
Mysk researchers used ProtonVPN and Wireshark to demonstrate that iOS 16 devices can leak data outside a VPN connection. Wireshark is a free data traffic capture software that can display and record all connections going in and out of a device connected to the internet.
“Most of these connections are short-lived and eventually re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel. But if you use Proton VPN while connected to public WiFi, your sensitive traffic still cannot be monitored,” ProtonVPN explained in a blog post.
ProtonVPN said it has raised this issue repeatedly to Apple, but the company said it is to be “expected.”
“We call on Apple to make a fully secure online experience accessible to everyone, not just those who enroll in proprietary remote device management framework designed for enterprises,” Proton wrote.
It is unclear if this issue will be addressed in Apple’s upcoming iOS 16.2 update, which is currently in beta testing.
Android Also Leaks Data
This VPN bypass vulnerability is not exclusive to Apple’s devices. Mysk researchers said Android devices also send data to Google services outside of a VPN tunnel. This happens even when users toggle “Always on” and “Block Connections without VPN.”
Earlier this month, Swedish VPN provider Mullvad VPN revealed that Android leaks information outside a VPN tunnel. The leaked data include IP addresses, HTTPS traffic, and DNS lookups.
In tests with Wireshark, Mysk found that their public IP address, which a VPN should obfuscate, was exposed on Android. Your public IP address can reveal your location.
The fact that Android and iOS devices leak data outside of a VPN tunnel is cause for concern, as plain-text DNS requests are susceptible to hacking. However, it is unlikely a hacker would attempt to de-anonymize this information unless you are a high-value target.
VPNs do not leak browsing information or expose your credentials. However, your internet service provider or a third party could gain access to DNS query information in transit, which is a privacy concern.