An unresolved problem in iOS 13 is obstructing VPNs from fully encrypting traffic. This issue is leading to certain internet connections circumventing VPN protection, consequently exposing data or leaking IP addresses, as reported by Proton VPN.
A vulnerability in iOS was discovered last year that causes connections to bypass VPN encryption. This bug affects all VPNs. Having informed Apple, we are now sharing details for your safety. https://t.co/78v3Brispm
— ProtonVPN (@ProtonVPN) March 25, 2020
iOS VPN Security Bypass Vulnerability
While connections made after initiating a VPN on your iOS gadget are unaffected by this flaw, all previously established connections can be impacted. ProtonVPN mentions that the iOS 13 bug causes past connections to exist outside the secure tunnel of the VPN.
The bug arose due to iOS failing to terminate all prior internet connections once a user connects to a VPN. Typically, when a VPN is engaged, the system terminates previous connections and automatically reconnects to the original servers post-VPN tunnel establishment. This process is currently non-operational in iOS 13.3.1 and later versions, hence susceptible to the bug.
ProtonVPN notes that most connections are temporary and eventually re-establish within the VPN tunnel autonomously. Nonetheless, enduring connections may remain exposed outside the VPN tunnel for minutes to hours.
Such unencrypted connections potentially divulge a user’s location, IP address, or subject them and communicated servers to potential breaches.
While these risks may not pose significant harm to general users, individuals relying on VPNs for sensitive operations face heightened vulnerability to possible ramifications.
Neither ProtonVPN nor any other VPN service can devise a workaround for this issue as iOS doesn’t allow a VPN app to terminate current network connections.
Apple is cognizant of this issue and is actively seeking a resolution. However, a patch for this flaw from Apple is awaited. In the interim, a stopgap measure for this iOS VPN security bypass vulnerability is presented below:
Interim Measure
Apple suggests using Always-on VPN as a remedy, though this feature isn’t viable for users employing third-party VPN applications.
Until an Apple update rectifies this bug, ProtonVPN suggests toggling Airplane Mode on and off to manually close previous connections post VPN connection. Note that this approach may not be foolproof but warrants a trial.