Yet another critical VPN-related bug found in iOS 16

Image Credit: Shutterstock (Image credit: Shutterstock)

It was sometime in May when a security expert first revealed that iPhone VPN apps were leaking users' data, claiming that Apple wasn't doing anything to fix it.

Now, only a few months later, another major issue has been found when using VPN software on iOS. In this instance, some of people's most sensitive information is in real danger.

Another expert has recently discovered that many Apple apps, including Health and Wallet, send users' private data outside an active VPN tunnel.

Apple apps bypass VPN encryption

"We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests," developer and security researcher Tommy Mysk tweeted on October 12.

Theoretically, when you connect to a secure VPN, your data is encrypted and passed through one of its international servers before it reaches it destination. This means that neither your ISP, nor any other third party should be able to access this flow of information. Similarly, the websites you visit won't be able to define your real IP address or any other identifying details.

> VPNs on iOS are "broken" and Apple doesn't seem to be doing anything to fix it

> Discover what is Apple Private Relay and if it's worse than a VPN

> Our pick of the best Mac VPN apps around right now

Mysk ran a few tests on iOS 16 with both Proton VPN and Wireshark active. To his dismay, he and his team found out that many Apple apps actually ignore the VPN tunnel and exchange data directly with Apple servers.

What's worse, the applications leaking data are actually those managing the most private and sensitive information. These are Health, Wallet, Apple Store, Clips, Files, Find My, Maps and Settings.

Talking about the reasons behind this bug, Myks seems to believe that Apple does so intentionally.

"There are services on the iPhone that require frequent contact with Apple servers, such as Find My and Push Notifications. However, I don’t see an issue of tunneling this traffic in the VPN connection. The traffic is encrypted anyways,” he told 9to5Mac, adding that they didn't expect such an amount of traffic to be exposed.

Not just iOS VPN

As Mysk confirms during his testing, iPhone and iPad users are not the only ones risking their privacy.

"I know what you're asking yourself and the answer is YES. Android communicates with Google services outside an active VPN connection, even with the options Always-on and Block Connections without VPN," he said.

Just a few days ago we reported on Mullvad VPN's findings that Android devices are quietly undermining VPN services during its last security audit.

Here, Android VPNs expose users' data while performing connectivity checks when accessing some Wi-Fi networks.

The VPN provider pledged Google to add an option to opt out for these checks when the VPN is active, but the big tech giant believes there's no need for this. This is why Mullvad is now pushing for at least changing the "misleading" description of its VPN-related features.

TOPICS

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life – wherever cybersecurity, markets, and politics tangle up. She writes news, interviews, and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar and TechRadar Pro. Got a story, tip-off, or something tech-interesting to say? Reach out to chiara.castro@futurenet.com