VPNs on iOS are leaking user data due to an issue that was first disclosed to Apple privately about 2 years ago, a researcher has claimed. As per the issue, the unpatched security vulnerability does not let an iOS handset fully route all network traffic through VPN apps as it is expected to be and some data leaves the device outside of the VPN tunnel. This flaw was first disclosed to Apple by ProtonVPN in 2020, however, the researcher has said that the Cupertino-based company hasn’t plugged the vulnerability yet.

Researcher Michael Horowitz claimed in a blog post that VPN apps on iOS appear to work fine at first i.e., “the iOS device gets a new public IP address and new DNS servers” like the way it should. The data is sent to the VPN server but the researcher says that a detailed inspection of data leaving the iOS device shows that the VPN tunnel leaks. “Data leaves the iOS device outside of the VPN tunnel. This is not a classic/legacy DNS leak, it is a data leak,” Horowitz added.

A VPN is used to encrypt traffic. Once enabled, it will give the device a new IP address, DNS servers, and a tunnel for new traffic by closing existing Internet connections as well as re-establishing them through the VPN tunnel. However, the bug in iOS restricts the operating system from hiding all existing Internet connections and/or “leaking” data outside the VPN tunnel bringing some major security concerns.

In order to better understand, consider a movie-like scenario in which you are driving a red car and anyone can track you by following you on a helicopter. When you enter a tunnel, the helicopter cannot see you from above and you come outside driving a white car which serves as a cloak for your identity. But if there is a flaw in that cloak that gives away the information, it could allow the trackers to identify it is you. Apple has yet to issue a response on the issue, and we’ve reached out for comment.

The researcher also claims that he confirmed this data leak using multiple types of VPN and software from multiple VPN providers. He tested it on the latest version of iOS (iOS 15.6). The issue was first publicly reported by ProtonVPN in 2020 and at that time iPhone models were running iOS v13. As per a report, Apple has not yet fully fixed the problem and has provided a solution to this.

Ars Technica cited Proton founder and CEO Andy Yen as saying, “The fact that this is still an issue is disappointing to say the least. We first notified Apple privately of this issue two years ago. Apple declined to fix the issue, which is why we disclosed the vulnerability to protect the public. Millions of people’s security is in Apple’s hands, they are the only ones who can fix the issue, but given the lack of action for the past two years, we are not very optimistic Apple will do the right thing.”