A bug in Apple’s recent iOS releases, including the latest iOS 13.4 version, prevents VPN applications from encrypting all traffic. The vulnerability was discovered by a member of the Proton community in iOS 13.3.1, and though Apple is aware of the issue it has yet to release a patch.
Affected versions of iOS fail to close existing internet connections when a user connects to a VPN. Typically, when VPN is opened, the device’s operating system should close all existing internet connections and reestablish them through a VPN tunnel. Apparently, this process is not occurring in recent versions of iOS.
“Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel,” Proton explained.
“One prominent example is Apple’s push notification service, which maintains a long-running connection between the device and Apple’s servers. But the problem could impact any app or service, such as instant messaging applications or web beacons,” the team added.
The long-lasting connections could potentially expose a user’s data, or reveal their true IP address rather than that of the VPN server.
Proton says that neither ProtonVPN nor any other VPN service can provide a workaround for this issue as iOS does not allow a VPN app to kill existing network connections.
Until the patch is available, Apple recommends using Always-on VPN to mitigate this issue.